[英]Basic http authentication and remove the prepend text username:password@ from the Static content (i.e image/js/css) url
I have site where user need to get http basic authentication prior to access the url lets say www.mybasicauthurl.com
. 我有一个站点,用户在访问URL之前需要获得http基本身份验证,然后说
www.mybasicauthurl.com
。 Basic authentication can be passed in either way 基本身份验证可以通过两种方式传递
Browse the url and enter the username, password on the pop-up if not done already. 浏览URL,然后在弹出窗口中输入用户名和密码(如果尚未输入)。
Access the url as: username:password@www.mybasicauthurl.com 以以下网址访问该网址:username:password@www.mybasicauthurl.com
Now I use approach #2 supply the basic auth credential via url itself. 现在,我使用方法2通过url本身提供基本的身份验证凭据。 This works fine and I can able to see the legitimate web page but When I open firebug and see the all loaded static files it shows me something like
这可以正常工作,并且我能够看到合法的网页,但是当我打开firebug并查看所有已加载的静态文件时,它显示出类似以下内容
http://username:password@www.mybasicauthurl.com/static/jquery/jquery.js
http://username:password@www.mybasicauthurl.com/static/css/styles.css
http://username:password@www.mybasicauthurl.com/static/image/image1.png
Please note the prepend text username:password@
in the url. 请注意网址中的前置文本
username:password@
。 I don't want that I just want these static files to be loaded normally like 我不希望我只想像这样正常加载这些静态文件
http://www.mybasicauthurl.com/static/css/styles.css
I don't know if this is something done by the browser
or apache
server. 我不知道这是由
browser
还是apache
服务器完成的。 Would be appreciated even if share some useful link that I missed to google. 即使分享一些我错过的有用链接到Google,也将不胜感激。
If you want to avoid HTTP auth on static resources, the best thing to do is to remove it server-side . 如果要避免对静态资源进行HTTP身份验证,最好的办法是在服务器端将其删除。
That means static resources would ba available without authentication, but if nothing important is present in the static resources, that's good. 这意味着静态资源无需身份验证即可使用,但是如果静态资源中不存在任何重要内容,那就很好。
Should be something like that: 应该是这样的:
# Apache < 2.4
<Location /static>
Satisfy Any
Allow from all
</Location>
# Apache >= 2.4
<Location /static>
Require all granted
</Location>
Another point . 还有一点 。 If the thing you do not like is the presence of username:password in the HTML source, that's effectively quite bad, and depending on the browsers versions it may or may not be supported (tends to be removed).
如果您不喜欢HTML源代码中存在username:password ,那实际上是非常糟糕的,并且视浏览器版本而定,它可能会或可能不受支持(倾向于删除)。 That's a clear text information, could be intercepted or stored on the browser cache.
这是纯文本信息,可以被拦截或存储在浏览器缓存中。 But you are also using
http://
and not https://
and this is even worse. 但是您也使用的是
http://
而不是https://
,这甚至更糟。 The username:password is transmitted in clear text for each request of the browser , everybody can read this information! 用户名:密码 以明文形式发送给浏览器的每个请求 ,每个人都可以阅读该信息!
When using Basic HTTP Authentification you must use HTTPS. 使用基本HTTP身份验证时, 必须使用HTTPS。 Credentials are transmitted with a simple base64 encoding , it's just an ascii-7-trick encoding (like utf-8 is an encoding).
凭证使用简单的base64 编码传输,这只是一个ascii-7技巧编码(例如utf-8是一种编码)。 So if you want to protect this username/password information you will also need HTTPS.
因此,如果您想保护此用户名/密码信息,则还需要HTTPS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.