ITKeyword,专注技术干货聚合推荐

注册 | 登录

【ASP.NET Web API2】Digest认证

分享于

2021腾讯云限时秒杀,爆款1核2G云服务器298元/3年!(领取2860元代金券),
地址https://cloud.tencent.com/act/cps/redirect?redirect=1062

2021阿里云最低价产品入口+领取代金券(老用户3折起),
入口地址https://www.aliyun.com/minisite/goods

推荐:ASP.NET Web API(三):安全验证之使用摘要认证(digest authentication)

在前一篇文章中,主要讨论了使用HTTP基本认证的方法,因为HTTP基本认证的方式决定了它在安全性方面存在很大的问题,所以接下来看看另一种验证的方式:digest aut

Digest摘要认证

     对于Basic认证方案来说,被传输的认证凭证仅仅采用Base64编码,所以包含密码的认证凭证基本上可以视为明文传输。Digest认证在此基础上进行了改善,在一定程度上提高了安全系数。

     在了解Digest认证的工作原理之前,我们看看通过浏览器调用一个Digest认证的Web API会涉及怎样的消息交换

     采用浏览器作为Web API调用的客户端,与Basic认证方式一样,浏览器会针对Web API 的第一次调用  会自动弹出登陆对话框

正确输入账号密码(Web API 配置文件中定义)后,输出结果会呈现在浏览器中。利用Fiddler我们会发现整个调用涉及两次消息交换

GET http://localhost:4003/api/values HTTP/1.1
Host: localhost:4003
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Digest username="", realm="UZ.COM", nonce="1b4d156b1af16f4ea72a040396d27f86", uri="/api/values", response="07e5a5012586dbffbad8040a923fb11a", qop=auth, nc=00000001, cnonce="4aee7270082bcd10"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6


HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
WWW-Authenticate: Digest realm="UZ.COM",nonce="4c4c15480802fe3bccb45605f1f4126d",qop="auth"
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?=
X-Powered-By: ASP.NET
Date: Fri, 12 Jun 2015 08:16:02 GMT
Content-Length: 81

<Error><Message>Authorization has been denied for this request.</Message></Error>

  

 

GET http://localhost:4003/api/values HTTP/1.1
Host: localhost:4003
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Digest username="loding", realm="UZ.COM", nonce="4c4c15480802fe3bccb45605f1f4126d", uri="/api/values", response="9495b8ef2b5b1d6dd3001753293cca57", qop=auth, nc=00000001, cnonce="2dfe2e5c0b8a4000"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?=
X-Powered-By: ASP.NET
Date: Fri, 12 Jun 2015 08:17:21 GMT
Content-Length: 195

<ArrayOfstring xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><string>value1</string><string>value2</string></ArrayOfstring>

  

验证流程:

1,客户端以匿名的方式发送一个请求

2,服务器返回状态为"401 Unauthorized",这个响应含有"WWW-Authenticate"报头

  •    Digest:表示当前的认证方式。
  •    realm:领域
  •    nonce:服务器生成的具有唯一性的字符串
  •    qop(Quanlity of Protection):IIS采用qop通知客户端采用的消息保护等级。可选的qop包括"auth"和"auth-int"。

                                      前者表示仅限于基本的认证,后者则表示除了对客户端实施认证外,还需要确保传输内容的一致性。

3,客户端接收到返回的401状态后,会自动弹出一个登陆对话框

4,得到用户输入的用户名和密码,浏览器根据密码和服务端生成的nonce采用一种算法生成一个Digest,这个Digest会作为认证凭证放            到"Authorization"报头response中,随后向服务器发送请求

   其他信息:

  • username:代表客户端用户名
  • nonce:就是服务器生成返回的那个nonce
  • cnonce:这是客户端自行生成的nonce,它可以对请求内容进行签名以确保内容没有被篡改,同时也可以帮助客户端对服务器实施认证
  • nc(nonce count):表示客户端针对同一个nonce发送请求的数量,随着请求的发送而不断递增。

                         IIS可以通过nc代表的数字来防止“重发攻击”。

5,服务器接收到请求后进行nc合法性验证等,然后确定客户端提供密码的正确性,完成对客户端的认证

 

Digest认证实现(源码下载)

https://coding.net/u/Allen_/p/ASP.NET-Web-API-2---Digest/git

验证实现的核心方法:

 

public class AuthenticationHandler : DelegatingHandler
    {
        protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            try
            {
                HttpRequestHeaders headers = request.Headers;
                if (headers.Authorization != null)
                {
                    Header header = new Header(request.Headers.Authorization.Parameter, request.Method.Method);

                    if (Nonce.IsValid(header.Nonce, header.NounceCounter))
                    {
                        string uzkey = ConfigurationManager.AppSettings["UZKey"];
                        string uzsecret = ConfigurationManager.AppSettings["UZSecret"];

                        string ha1 = HashHelper.GetMD5(String.Format("{0}:{1}:{2}", uzkey, header.Realm, uzsecret));

                        string ha2 = HashHelper.GetMD5(String.Format("{0}:{1}", header.Method, header.Uri));

                        string computedResponse = HashHelper.GetMD5(String.Format("{0}:{1}:{2}:{3}:{4}:{5}",
                                            ha1, header.Nonce, header.NounceCounter, header.Cnonce, "auth", ha2));

                        if (String.CompareOrdinal(header.Response, computedResponse) == 0)
                        {
                            // digest computed matches the value sent by client in the response field.
                            // Looks like an authentic client! Create a principal.
                            var claims = new List<Claim>
                        {
                                        new Claim(ClaimTypes.Name, header.UserName),
                                        new Claim(ClaimTypes.AuthenticationMethod,AuthenticationMethods.Password)
                        };

                            ClaimsPrincipal principal = new ClaimsPrincipal(new[] { new ClaimsIdentity(claims, "Digest") });

                            Thread.CurrentPrincipal = principal;

                            if (HttpContext.Current != null)
                                HttpContext.Current.User = principal;
                        }
                    }
                }

                HttpResponseMessage response = await base.SendAsync(request, cancellationToken);

                if (response.StatusCode == HttpStatusCode.Unauthorized)
                {
                    response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));
                }

                return response;
            }
            catch (Exception)
            {
                var response = request.CreateResponse(HttpStatusCode.Unauthorized);
                response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));

                return response;
            }
        }
    }

 

使用Digest认证还需要在全局配置文件中注册并在Controller中加[Authorize]属性标签

使用WebClient调用Web API

private  static string Request(string sUrl, string sMethod, string sEntity, string sContentType,
  out string sMessage)
        {
            try
            {
                sMessage = "";
                using (System.Net.WebClient client = new System.Net.WebClient())
                {
                    client.Credentials = CreateAuthenticateValue(sUrl);
                    Uri url = new Uri(sUrl);
                    byte[] bytes = Encoding.UTF8.GetBytes(sEntity);
                    byte[] buffer;
                    switch (sMethod.ToUpper())
                    {
                        case "GET":
                            buffer = client.DownloadData(url);
                            break;
                        case "POST":
                            buffer = client.UploadData(url, "POST", bytes);
                            break;
                        default:
                            buffer = client.UploadData(url, "POST", bytes);
                            break;
                    }

                    return Encoding.UTF8.GetString(buffer);
                }
            }
            catch (WebException ex)
            {
                sMessage = ex.Message;
                var rsp = ex.Response as HttpWebResponse;
                var httpStatusCode = rsp.StatusCode;
                var authenticate = rsp.Headers.Get("WWW-Authenticate");

                return "";
            }
            catch (Exception ex)
            {
                sMessage = ex.Message;
                return "";
            }
        }

private static CredentialCache CreateAuthenticateValue(string sUrl)  
{  
    CredentialCache credentialCache = new CredentialCache();  
    credentialCache.Add(new Uri(sUrl), "Digest", new NetworkCredential("用户名", "密码"));  
  
    return credentialCache;  
}  

  

 

推荐:ASP.NET Web API

ASP.NET Web API includes support for the following features: Modern HTTP programming model: Directly access and manipulate HTTP requests and responses

Digest摘要认证      对于Basic认证方案来说,被传输的认证凭证仅仅采用Base64编码,所以包含密码的认证凭证基本上可以视为明文传输。Digest认证在此基础上进行了改善,在一定程度上提高了安全

相关阅读排行


相关内容推荐

最新文章

×

×

请激活账号

为了能正常使用评论、编辑功能及以后陆续为用户提供的其他产品,请激活账号。

您的注册邮箱: 修改

重新发送激活邮件 进入我的邮箱

如果您没有收到激活邮件,请注意检查垃圾箱。