Geek Answers Handbook

Can I use Digest-Authentication with XMLHTTPRequest?

I have a simple question: can I use Digest-Authentication with XMLHTTPRequest?

If the answer is no, what is the technical reason? Or, if possible - how can I do this?

Thank you very much ... google has no good answer yet: - /

EDIT:

Thanks for answers. Changing the header according to the digest authentication scheme after receiving nonce seems to be the solution.

But I really searched that I can change my current call: xmlhttp.open ("GET", url, false, username, password); to Art. for example, xmlhttp.open ("GET", url, false, username, password, "DIGEST");

This is also part of my original question: why doesn't the open method offer an option to make a digest request?

Perhaps there is js-lib that I can recommend that allows me to do this - do you think I really don't want to change one simple xmlhttp.open to multiple requests and get nonce first.

+7
source share
4 answers

You can do it without problems. Just follow the parts of the specifications that you like;)
http://tools.ietf.org/html/rfc2617
and all you are missing is to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.

preliminary change of username and password
Hi, I want to authenticate ----> server
Ok, here is the nonce / salt client ---->
here is the md5 hash amount of my username timestamp and salt -----> server
I just added your password and username in the same way as you, and they are the same. -----> client
These are the basic principles of this.

I forgot that you need to include the requested resource URI in hashsum !!!!
Of course, you do this with every request that you make for a resource on the server, so a single hash interception can only look at the content that you requested and could not make a request for a different resource. This method does not protect data only from access to it.

+8
source

Take a look at this article: http://marcin-michalski.pl/2012/11/01/javascript-digest-authentication-restful-webservice-spring-security-javascript-ajax/ . It explains how to make a JavaScript client for digest checking using SpringSecurity on the server side. The code is available on github: https://github.com/Arrowgroup/JSDigestAuth

+6
source

I encoded the complete workflow for this, it is not at all complicated as soon as you use the external library for MD5 (I use Crypto-js).

The biggest problem that may arise is that on the first server 401, the response from any of the most commonly used browsers will open a dialog box to retrieve your credentials. As far as I have seen, there is no easy way around this: How can I suppress the browser authentication dialog?

To solve this problem, I modified the web server that I encoded from the C # codeplex project. At the first request, the client sends the heading β€œWarning”, which says: β€œDo not raise 401”. The server makes a call and sends it using a special, non-401 HttpException (I am using 406 at the moment, which is "unacceptable" in HTTP). The client creates a hash and sends it back.

I can post some code snippets, if anyone is interested, this is an old question.

+3
source

The best way to do this is to use SSL. I don’t think there is any other safe solution (correct me if I am wrong)

0
source

More articles:


All Articles