www-authenticate | 易学教程

Is there a way to work around RatpackPac4j#requireAuth not setting the WWW-Authenticate header?

阅读更多关于 Is there a way to work around RatpackPac4j#requireAuth not setting the WWW-Authenticate header?

问题 When testing Pac4j (2.x) authentication in the context of a Ratpack (1.5.x) app, I find that when I use this handler: all RatpackPac4j.requireAuth(HeaderClient) ...Unauthorised requests get rejected correctly with a 401 status, and RFC-7235 states that a WWW-Authenticate header should be added, and it is not. I raised an issue on the RatpackPac4j tracker here, but it was closed as (I infer) "won't fix" since Pac4j v3 implements this properly. And RatpackPac4j has not been upgraded to work

WWW-Authenticate uses NTLM and not Kerberos

阅读更多关于 WWW-Authenticate uses NTLM and not Kerberos

问题 I'm running a NodeJS server on a Windows Server 2008. The server doesn't do much but I set the header for 401, WWW-Authenticate Negotiation which I know can go either with his default Kerberos authentication or if it's not available then with NTLM. I downloaded fiddler and discovered that when I try to reach the server it tries to authenticate with NTLM(prompt me for username and password) rather than Kerberos, even though the computer is in the same domain as the server and when I do run the

Logging a user out when using HTTP Basic authentication

阅读更多关于 Logging a user out when using HTTP Basic authentication

问题 I want users to be able to log in via HTTP Basic authentication modes. The problem is that I also want them to be able to log out again - weirdly browsers just don't seem to support that. This is considered to be a social-hacking risk - user leaves their machine unlocked and their browser open and someone else can easily visit the site as them. Note that just closing the browser-tab is not enough to reset the token, so it could be an easy thing for users to miss. So I've come up with a

After remove the www extension from addressbar session not working

阅读更多关于 After remove the www extension from addressbar session not working

问题 After login in this url www.example.com , if I remove the www extension from address-bar the login detail value doesnot keep by session. 回答1: Try creating a redirect function from non-www to www. See this topic: WWW to non-WWW Redirect with PHP 回答2: Your session is maintained by a cookie. When you log on to www.example.com, a cookie is saved for this domain by default, which is represented with every request to a URL in this domain. example.com is a different cookie domain, and the cookie won

Returning HTTP 401 status for AJAX responses without WWW-Authenticate

阅读更多关于 Returning HTTP 401 status for AJAX responses without WWW-Authenticate

问题 Is it OK to return an HTTP 401 status for a response to an AJAX call if you wish to convey that the user is not logged in, even though the login mechanism is form-based and not HTTP based (Basic, Digest, etc.)? The answer here suggests that 401 should be used: https://stackoverflow.com/a/6937030/2891365 And this post shows an actual example of someone using 401 for an AJAX response: http://www.bennadel.com/blog/2228-some-thoughts-on-handling-401-unauthorized-errors-with-jquery.htm However,

How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

阅读更多关于 How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

I am programming a client application in .Net that communicates with server via HTTP. I need to set different request buffering options in case of NTLM and Kerberos authorization. How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header? You will find answer here . Short answer is: 1.Capture some successfully authorized request using Fiddler tool. 2.Choose "Inspectors" -> "Headers" tab. 3.Pay attention at "Cookies / Login" section, "Authorization" header. If the Authorization token begins with "YII" then Kerberos is used, but if it

Logging a user out when using HTTP Basic authentication

阅读更多关于 Logging a user out when using HTTP Basic authentication

I want users to be able to log in via HTTP Basic authentication modes. The problem is that I also want them to be able to log out again - weirdly browsers just don't seem to support that. This is considered to be a social-hacking risk - user leaves their machine unlocked and their browser open and someone else can easily visit the site as them. Note that just closing the browser-tab is not enough to reset the token, so it could be an easy thing for users to miss. So I've come up with a workaround, but it's a total cludge: 1) Redirect them to a Logoff page 2) On that page fire a script to ajax

How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

阅读更多关于 How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

问题 I am programming a client application in .Net that communicates with server via HTTP. I need to set different request buffering options in case of NTLM and Kerberos authorization. How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header? 回答1: You will find answer here. Short answer is: 1.Capture some successfully authorized request using Fiddler tool. 2.Choose "Inspectors" -> "Headers" tab. 3.Pay attention at "Cookies / Login" section,