[HTTP] 基本认证的工作流程

HTTP的基本认证涉及两个字段,一个是请求字段 Authorization;

Authorization: Basic xxx

一个是响应字段 WWW-Authenticate

WWW-Authenticate: Basic realm="xxx"

 

1. 当浏览器试图访问一个需要认证的资源时,请求报文将以正常形式发送;

2. 不过服务器会返回一个带有WWW-Authenticate字段的HTTP/1.1 401 Unauthorized响应报文,该报文有可能会携带实体,但一般浏览器不会渲染页面;

HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Sat, 17 Mar 2018 05:32:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.0.1
WWW-Authenticate: Basic realm="Git Server"

3. 浏览器收到报文后弹出用户密码框要求用户输入账号密码;

4. 用户输入账户密码确定后,请求报文再次发送,不过此时报文携带了 Authorization 字段,它携带了由用户刚才输入的账户密码(按照[用户:密码]的形式串联起来,再base64编码的字符串);

GET http://www.test1.com/test_19.php HTTP/1.1
Host: www.test1.com
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic d2FuZzoxMjM0NTY=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

5. 服务端收到报文,确定用户输入的认证是否正确,倘若正确返回的报文将会带有实体,若不正确,返回第2个步骤;

posted @ 2018-03-17 14:13  yiyide266  阅读(291)  评论(0编辑  收藏  举报