本文详细介绍了HTTP Digest Access Authentication的基本原理,并通过本地抓包测试进行实例演示。
http://en.wikipedia.org/wiki/Digest_access_authentication
基本原理:
1.客户端根据服务器端生成的nonce值 加上用户名和密码取MD5值,将这个值发送给服务器端,服务器端验证该值是否合法
具体请看http://en.wikipedia.org/wiki/Digest_access_authentication
HTTPLOOK本地抓包测试,服务器端用户名 tomcat,密码 tomcat
GET /club-test/IndexServlet HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 CST
WWW-Authenticate: Digest realm="Basic Authentication Area", qop="auth", nonce="8746947a93be8d88219ab22dccc5e3e6", opaque="4334df1313fb0e562393efeaff630d18"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 13 May 2010 02:22:43 GMT
GET /club-test/IndexServlet HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Authorization: Digest username="tomcat", realm="Basic Authentication Area", qop="auth", algorithm="MD5", uri="/club-test/IndexServlet", nonce="8746947a93be8d88219ab22dccc5e3e6", nc=00000001, cnonce="63594dae28ab96e3bd3fc7e3fabca0d8", opaque="4334df1313fb0e562393efeaff630d18", response="627bf900cec889712184f0e21fcef80e"
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 CST
Set-Cookie: JSESSIONID=B235CF234E263363B7F46DC4DF6D23BD; Path=/club-test
Transfer-Encoding: chunked
Date: Thu, 13 May 2010 02:22:57 GMT
GET /club-test/Music HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Cookie: JSESSIONID=B235CF234E263363B7F46DC4DF6D23BD
Authorization: Digest username="tomcat", realm="Basic Authentication Area", qop="auth", algorithm="MD5", uri="/club-test/Music", nonce="8746947a93be8d88219ab22dccc5e3e6", nc=00000002, cnonce="cd29e5745208fc6b4e7d0b86770c81ca", response="bb1c27f7a0f955967541c46090add6e8"
基本原理:
1.客户端根据服务器端生成的nonce值 加上用户名和密码取MD5值,将这个值发送给服务器端,服务器端验证该值是否合法
具体请看http://en.wikipedia.org/wiki/Digest_access_authentication
HTTPLOOK本地抓包测试,服务器端用户名 tomcat,密码 tomcat
GET /club-test/IndexServlet HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 CST
WWW-Authenticate: Digest realm="Basic Authentication Area", qop="auth", nonce="8746947a93be8d88219ab22dccc5e3e6", opaque="4334df1313fb0e562393efeaff630d18"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 13 May 2010 02:22:43 GMT
GET /club-test/IndexServlet HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Authorization: Digest username="tomcat", realm="Basic Authentication Area", qop="auth", algorithm="MD5", uri="/club-test/IndexServlet", nonce="8746947a93be8d88219ab22dccc5e3e6", nc=00000001, cnonce="63594dae28ab96e3bd3fc7e3fabca0d8", opaque="4334df1313fb0e562393efeaff630d18", response="627bf900cec889712184f0e21fcef80e"
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 CST
Set-Cookie: JSESSIONID=B235CF234E263363B7F46DC4DF6D23BD; Path=/club-test
Transfer-Encoding: chunked
Date: Thu, 13 May 2010 02:22:57 GMT
GET /club-test/Music HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TCO_20100513102058; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Cookie: JSESSIONID=B235CF234E263363B7F46DC4DF6D23BD
Authorization: Digest username="tomcat", realm="Basic Authentication Area", qop="auth", algorithm="MD5", uri="/club-test/Music", nonce="8746947a93be8d88219ab22dccc5e3e6", nc=00000002, cnonce="cd29e5745208fc6b4e7d0b86770c81ca", response="bb1c27f7a0f955967541c46090add6e8"
扫一扫
245
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
