是否可以在XMLHTTPRequest中使用Digest-Authentication? [英] Is it possible to use Digest-Authentication with a XMLHTTPRequest?
问题描述
我有一个简单的问题:是否可以在XMLHTTPRequest中使用Digest-Authentication?
如果答案是否定的,那么技术原因是什么?或者如果有可能 - 我该怎么做?
非常感谢...到目前为止谷歌还没有很好的答案: - /
编辑:
感谢您的回答。在收到一个nonce后,修改标题以匹配摘要认证方案似乎是一个解决方案。
但我真正想要的是我可以更改我当前的调用:xmlhttp.open(GET,url,false,用户名,密码);
到某事。就像那个xmlhttp.open(GET,url,false,用户名,密码,DIGEST);
这也是我最初问题的一部分:为什么打开-method不提供制作摘要请求的选项?
也许有js-lib可以推荐让我这样做 - 正如你想象的那样我没有我真的想把一个简单的xmlhttp.open更改为多个请求并首先得到一个nonce。
你可以做到没有问题。只需按照您想要的规格部分进行操作;)
http://tools.ietf.org/ html / rfc2617
并且您将缺少开始编写身份验证库
http://pajhome.org.uk/crypt/md5/
在客户端。
交换前的用户名和密码
嘿我想验证---->服务器
好的,这里是一个nonce / salt ----> client
这里是我的用户名密码时间戳和盐的md5哈希值----->服务器
我刚刚烦你的密码和用户名与您的方式相同,并且它们是相同的----->客户端
这些是它的基础知识。
我遗漏了你需要在hashsum中包含所请求资源的URI !!!!
当然你做的对于向服务器发送资源的每一个请求都是如此,某个拦截哈希的人只能查看您请求的内容,并且无法请求其他资源。此方法不保护数据只是访问它。 / p>
I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?
If the answer is no, what's the technical reason? Or if it is possible - how can I do that?
Thanks a lot … google has no good answer so far :-/
EDIT:
Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.
But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");
That’s also part of my initial question: Why does the open-method not offer the option to make a digest-request?
Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.
You can do it no problem. Just follow the parts of the specs you feel like ;)
http://tools.ietf.org/html/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.
pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.
I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.
这篇关于是否可以在XMLHTTPRequest中使用Digest-Authentication?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!