请求中的HTTP授权标头一致性
[英]HTTP Authorization header consistency in requests
问题描述
HTTP specification says; 
HTTP规范说;
HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" [43]. HTTP访问身份验证在“ HTTP身份验证:基本和摘要访问身份验证” [43]中进行了描述。 If a request is authenticated and a realm specified, the same credentials SHOULD be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks). 如果一个请求被认证并且指定了一个领域,那么相同的证书应该对该领域内的所有其他请求都有效(假设认证方案本身不需要其他证书,例如根据质询值或使用同步时钟而变化的证书) 。
I don't really understand what this means, but here is my scenario is there anything against HTTP specs here? 我真的不明白这是什么意思,但是这是我的情况,这里有违反HTTP规范的内容吗? I use Java Rest service 我使用Java Rest服务
- Client sends username:password using HTTP Authorization header using HTTP Basic 客户端使用HTTP Basic使用HTTP授权标头发送username:password
- Server sends back a token 服务器发回令牌
- Now client sends a custom authorization token instead of password for further requests still in the HTTP authorization header still using HTTP Basic username:token 现在,客户端仍使用HTTP Basic用户名:token发送自定义授权令牌(而不是密码)以用于仍在 HTTP授权标头中的进一步请求
Now this does not feel right since what I am really doing with the auth token is NOT an actual HTTP Basic authorization. 现在感觉不对,因为我对auth令牌所做的实际操作不是真正的HTTP Basic授权。 Also usage of the very same header is inconsistent between requests. 同样,请求之间使用完全相同的标头也不一致。
But on the other hand I do not want create yet another custom header for the token exchange. 但是另一方面,我不想为令牌交换创建另一个自定义标头。 Because its hard to base64 encode them with test tools when you use a custom header. 因为使用自定义标头时很难使用测试工具对它们进行base64编码。 And still inconsistent headers between requests. 并且请求之间的标题仍然不一致。
Note: these requests refers to different endpoints 注意:这些请求引用了不同的端点
What do you advice? 你有什么建议?
1 个解决方案
解决方案1
0 2013-01-03 16:14:30
If you do that, since you are using the same headers, aren't you going to need server side logic to differentiate when the login is the actual login, as opposed to your token? 如果这样做,由于使用的是相同的标头,那么您是否不需要服务器端逻辑来区分登录名是实际登录名(而不是令牌)的时间? At the end of the day, HTTP Authorization is already a token (only a simple encoded version of the username/password string), so in all cases you are receiving a token, now you have to decode it, decide if it's one of your session tokens, or if it's a username/password, and therefore check against two sources of "good tokens". 归根结底,HTTP授权已经是一个令牌(仅是用户名/密码字符串的简单编码版本),因此在所有情况下,您都收到一个令牌,现在您必须对其进行解码,确定它是否是您的令牌中的一个会话令牌,或者它是用户名/密码,因此请检查“良好令牌”的两个来源。
I would advice against this, but not because you're breaking standards, it just feels convoluted. 我建议不要这样做,但这不是因为您违反标准,而是让您感到困惑。
Why do you need to change username/password to a token on the first place? 为什么首先需要将用户名/密码更改为令牌? Are you redirecting to an endpoint where you no longer require HTTP Basic Auth? 您是否要重定向到不再需要HTTP基本身份验证的端点?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.