分享程序员开发的那些事...
更新时间:2022-10-17 22:02:19
你可以做到没有问题。只需按照您想要的规格部分进行操作;)
http://tools.ietf.org/ html / rfc2617
并且您将缺少开始编写身份验证库
http://pajhome.org.uk/crypt/md5/
在客户端。
交换前的用户名和密码
嘿我想验证---->服务器
好的,这里是一个nonce / salt ----> client
这里是我的用户名密码时间戳和盐的md5哈希值----->服务器
我刚刚烦你的密码和用户名与您的方式相同,并且它们是相同的----->客户端
这些是它的基础知识。
我遗漏了你需要在hashsum中包含所请求资源的URI !!!!
当然你做的对于向服务器发送资源的每一个请求都是如此,某个拦截哈希的人只能查看您请求的内容,并且无法请求其他资源。此方法不保护数据只是访问它。 / p>
I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?
If the answer is no, what's the technical reason? Or if it is possible - how can I do that?
Thanks a lot … google has no good answer so far :-/
EDIT:
Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.
But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");
That’s also part of my initial question: Why does the open-method not offer the option to make a digest-request?
Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.
You can do it no problem. Just follow the parts of the specs you feel like ;)
http://tools.ietf.org/html/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.
pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.
I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.