HTTP Basic Authentication - what's the expected web browser experience?

后端 未结 6 1944
孤城傲影
孤城傲影 2020-12-12 11:34

When a server allows access via Basic HTTP Authentication, what is the experience expected to be in a web browser?

Ignoring the web browser for a mo

相关标签:
6条回答
  • 2020-12-12 11:58

    If there are no credentials provided in the request headers, the following is the minimum response required for IE to prompt the user for credentials and resubmit the request.

    Response.Clear();
    Response.StatusCode = (Int32)HttpStatusCode.Unauthorized;
    Response.AddHeader("WWW-Authenticate", "Basic");
    
    0 讨论(0)
  • 2020-12-12 12:07

    Have you tried ?

    curl somesite.com --user username:password
    
    0 讨论(0)
  • 2020-12-12 12:13

    To help everyone avoid confusion, I will reformulate the question in two parts.

    First : "how can make an authenticated HTTP request with a browser, using BASIC auth?".

    In the browser you can do a http basic auth first by waiting the prompt to come, or by editing the URL if you follow this format: http://myusername:mypassword@somesite.com

    NB: the curl command mentionned in the question is perfectly fine, if you have a command-line and curl installed. ;)

    References:

    • https://en.wikipedia.org/wiki/Basic_access_authentication#URL_encoding
    • https://en.wikipedia.org/wiki/Uniform_Resource_Locator#Syntax
    • https://tools.ietf.org/html/rfc3986#page-18

    Also according to the CURL manual page https://curl.haxx.se/docs/manual.html

    HTTP
    
      Curl also supports user and password in HTTP URLs, thus you can pick a file
      like:
    
          curl http://name:passwd@machine.domain/full/path/to/file
    
      or specify user and password separately like in
    
          curl -u name:passwd http://machine.domain/full/path/to/file
    
      HTTP offers many different methods of authentication and curl supports
      several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
      method to use, curl defaults to Basic. You can also ask curl to pick the
      most secure ones out of the ones that the server accepts for the given URL,
      by using --anyauth.
    
      NOTE! According to the URL specification, HTTP URLs can not contain a user
      and password, so that style will not work when using curl via a proxy, even
      though curl allows it at other times. When using a proxy, you _must_ use
      the -u style for user and password.
    

    The second and real question is "However, on somesite.com, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?"

    The curl documentation says the -u option supports many method of authentication, Basic being the default.

    0 讨论(0)
  • 2020-12-12 12:15

    You can use Postman a plugin for chrome. It gives the ability to choose the authentication type you need for each of the requests. In that menu you can configure user and password. Postman will automatically translate the config to a authentication header that will be sent with your request.

    0 讨论(0)
  • 2020-12-12 12:19

    You might have old invalid username/password cached in your browser. Try clearing them and check again.

    If you are using IE and somesite.com is in your Intranet security zone, IE may be sending your windows credentials automatically.

    0 讨论(0)
  • 2020-12-12 12:19

    WWW-Authenticate header

    You may also get this if the server is sending a 401 response code but not setting the WWW-Authenticate header correctly - I should know, I've just fixed that in out own code because VB apps weren't popping up the authentication prompt.

    0 讨论(0)
提交回复
热议问题