基本的HTTP身份验证,并从静态内容(即image / js / css)网址中删除前缀文本username:password @
[英]Basic http authentication and remove the prepend text username:password@ from the Static content (i.e image/js/css) url
问题描述
I have site where user need to get http basic authentication prior to access the url lets say www.mybasicauthurl.com . 
我有一个站点,用户在访问URL之前需要获得http基本身份验证,然后说www.mybasicauthurl.com 。 Basic authentication can be passed in either way 基本身份验证可以通过两种方式传递
Browse the url and enter the username, password on the pop-up if not done already.
浏览URL,然后在弹出窗口中输入用户名和密码(如果尚未输入)。 Access the url as: username:password@www.mybasicauthurl.com
以以下网址访问该网址:username:password@www.mybasicauthurl.com
Now I use approach #2 supply the basic auth credential via url itself. 现在,我使用方法2通过url本身提供基本的身份验证凭据。 This works fine and I can able to see the legitimate web page but When I open firebug and see the all loaded static files it shows me something like 这可以正常工作,并且我能够看到合法的网页,但是当我打开firebug并查看所有已加载的静态文件时,它显示出类似以下内容
http://username:password@www.mybasicauthurl.com/static/jquery/jquery.js
http://username:password@www.mybasicauthurl.com/static/css/styles.css
http://username:password@www.mybasicauthurl.com/static/image/image1.png
Please note the prepend text username:password@ in the url. 请注意网址中的前置文本username:password@ 。 I don't want that I just want these static files to be loaded normally like 我不希望我只想像这样正常加载这些静态文件
http://www.mybasicauthurl.com/static/css/styles.css
I don't know if this is something done by the browser or apache server. 我不知道这是由browser还是apache服务器完成的。 Would be appreciated even if share some useful link that I missed to google. 即使分享一些我错过的有用链接到Google,也将不胜感激。
1 个解决方案
解决方案1
0 2016-08-26 15:04:46
If you want to avoid HTTP auth on static resources, the best thing to do is to remove it server-side . 如果要避免对静态资源进行HTTP身份验证,最好的办法是在服务器端将其删除。
That means static resources would ba available without authentication, but if nothing important is present in the static resources, that's good. 这意味着静态资源无需身份验证即可使用,但是如果静态资源中不存在任何重要内容,那就很好。
Should be something like that: 应该是这样的:
# Apache < 2.4
<Location /static>
Satisfy Any
Allow from all
</Location>
# Apache >= 2.4
<Location /static>
Require all granted
</Location>
Another point . 还有一点 。 If the thing you do not like is the presence of username:password in the HTML source, that's effectively quite bad, and depending on the browsers versions it may or may not be supported (tends to be removed). 如果您不喜欢HTML源代码中存在username:password ,那实际上是非常糟糕的,并且视浏览器版本而定,它可能会或可能不受支持(倾向于删除)。 That's a clear text information, could be intercepted or stored on the browser cache. 这是纯文本信息,可以被拦截或存储在浏览器缓存中。 But you are also using http:// and not https:// and this is even worse. 但是您也使用的是http://而不是https:// ,这甚至更糟。 The username:password is transmitted in clear text for each request of the browser , everybody can read this information! 用户名:密码 以明文形式发送给浏览器的每个请求 ,每个人都可以阅读该信息!
When using Basic HTTP Authentification you must use HTTPS. 使用基本HTTP身份验证时, 必须使用HTTPS。 Credentials are transmitted with a simple base64 encoding , it's just an ascii-7-trick encoding (like utf-8 is an encoding). 凭证使用简单的base64 编码传输,这只是一个ascii-7技巧编码(例如utf-8是一种编码)。 So if you want to protect this username/password information you will also need HTTPS. 因此,如果您想保护此用户名/密码信息,则还需要HTTPS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.