{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 不美不萌又怎样 的问题《Is it possible to use Digest-Authentication with a》','https://www.manongdao.com/q-628992.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?
If the answer is no, what's the technical reason? Or if it is possible - how can I do that?
Thanks a lot … google has no good answer so far :-/
EDIT:
Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.
But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");
That’s also part of my initial question: Why does the open-method not offer the option to make a digest-request?
Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.
Have a look at this article : http://marcin-michalski.pl/2012/11/01/javascript-digest-authentication-restful-webservice-spring-security-javascript-ajax/. It explains how to do JavaScript client for Digest Authentication with SpringSecurity in the server side. The code is available in github : https://github.com/Arrowgroup/JSDigestAuth
You really shouldn't care which authentication method site uses, as long as your browser support it.
If you specify username and password to open method and dont't mess with Authorization header, XMLHttpRequest.send() would first try to send request without authentication, receive 401 response with WWW-Authenticate header, and retry request, providing name and password according to authorization method requested by site.
(Although there can be some extra event handlers fired during this two-stage process).
The best way to do this is by using SSL. I don't think any other safe solution exists (correct me if i'm wrong)
To avoid the default browser authentication dialog you just set the WWW-Authenticate as Digest/YourString (ex. your realm). It is all in the first response, not so tragically.. My custom code it was working perfectly until yesterday and now I'm trying to debug something strange that is happened suddenly, still trying to understand..
You can do it no problem. Just follow the parts of the specs you feel like ;)
http://tools.ietf.org/html/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.
pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.
I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.
I have coded a full workflow for this, it's not difficult at all once you are using an external library for MD5 (I use Crypto-js).
The greatest issue you might have is that on the first server 401 reply any of the most used browsers will open a dialog box for getting your credentials. As far as I have seen there is not easy way to circumvent this: How can I supress the browser's authentication dialog?
To solve it, I modified the webserver which I coded from a C# codeplex project. On the first request the client passes a "Warning" header saying "Do not raise a 401". The server creates the challenge and sends it back with a custom, non-401 HttpException (I use 406 for the moment, which is "not acceptable" in HTTP). The client creates the hash and sends it back.
I can post some code snippets if anyone's interested, this is kind of an old question.