HTTP Authentication - WWW-Authenticate header - multiple realms

孤者浪人 提交于 2019-12-30 08:01:58

问题


Does anyone have any experience of supporting multiple realms in HTTP Authentication?

The Microsoft website states:

Each authenticate response header contains an available authentication scheme and a realm. If multiple authentication schemes are supported, the server returns multiple authenticate response headers. The realm value is case-sensitive and defines a protection space on the proxy or server. For example, the header "WWW-Authenticate: Basic Realm="example"" would be an example of a header returned when server authentication is required.

This suggests that different areas of a website can be secured using different authentication methods. What we are confused about is how to determine what realm should be stated in the server response to a client request.

Does anyone have any examples of how multiple realms work?


回答1:


The HTTP specification allows for multiple WWW-Authenticate challenges to be present in a response, either within the same WWW-Authenticate header or using multiple WWW-Authenticate headers within the same response.

There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.

I've never tried with multiple realms (and the same scheme, for example Basic), but I'm not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.




回答2:


I have one good example using multiple authenticate headers when using a sharepoint site. The Sharepoint offer both Negotiate and NTLM when connecting first.

Firefox chooses NTLM but Chrome chooses Negotiate.

It is also a consequence that Chrome will always send the Authorization header along with the other requests but Firefox only at the beginning because of the NTLM challange-response protocol. See here more explanation http://www.innovation.ch/personal/ronald/ntlm.html



来源:https://stackoverflow.com/questions/3576197/http-authentication-www-authenticate-header-multiple-realms

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!