Authorization response

A user agent that wishes to authenticate itself with a server-- usually, but not necessarily, after receiving a 401 response--does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

Authorization = "Authorization" ":" credentials

HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" [43]. If a request is authenticated and a realm specified, the same credentials SHOULD be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks). When a shared cache (see section 13.7) receives a request containing an Authorization field, it MUST NOT return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds:

If the response includes the "s-maxage" cache-control directive, the cache MAY use that response in replying to a subsequent request. But (if the specified maximum age has passed) a proxy cache MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. (This is the defined behavior for s-maxage.) If the response includes "s- maxage=0", the proxy MUST always revalidate it before re-using it. If the response includes the "must-revalidate" cache-control directive, the cache MAY use that response in replying to a subsequent request. But if the response is stale, all caches MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. If the response includes the "public" cache-control directive, it MAY be returned in reply to any subsequent request.
Наследование: IHeader
Документация по классу AuthorizationHeader
Пример #1
0
        /// <summary>
        /// An authentication response have been received from the web browser.
        /// Check if it's correct
        /// </summary>
        /// <param name="header">Contents from the Authorization header</param>
        /// <param name="realm">Realm that should be authenticated</param>
        /// <param name="httpVerb">GET/POST/PUT/DELETE etc.</param>
        /// <returns>
        /// Authentication object that is stored for the request. A user class or something like that.
        /// </returns>
        /// <exception cref="ArgumentException">if authenticationHeader is invalid</exception>
        /// <exception cref="ArgumentNullException">If any of the parameters is empty or null.</exception>
        public IAuthenticationUser Authenticate(AuthorizationHeader header, string realm, string httpVerb)
        {
            if (header == null)
                throw new ArgumentNullException("header");

            lock (_nonces)
            {
                if (_timer == null)
                    _timer = new Timer(ManageNonces, null, 15000, 15000);
            }

            if (!header.Scheme.Equals("digest", StringComparison.OrdinalIgnoreCase))
                return null;

            var parameters = HeaderParameterCollection.Parse(new StringReader(header.Data), ',');
            if (!IsValidNonce(parameters["nonce"]) && !DisableNonceCheck)
                return null;

            // request authentication information
            string username = parameters["username"];
            var user = _userProvider.Lookup(username, realm);
            if (user == null)
                return null;



            // Encode authentication info
            string HA1 = string.IsNullOrEmpty(user.HA1) ? GetHA1(realm, username, user.Password) : user.HA1;

            // encode challenge info
            string A2 = String.Format("{0}:{1}", httpVerb, parameters["uri"]);
            string HA2 = GetMD5HashBinHex2(A2);
            string hashedDigest = Encrypt(HA1, HA2, parameters["qop"],
                                          parameters["nonce"], parameters["nc"], parameters["cnonce"]);

            //validate
            if (parameters["response"] == hashedDigest)
                return user;

            return null;
        }
Пример #2
0
        /// <summary>
        /// An authentication response have been received from the web browser.
        /// Check if it's correct
        /// </summary>
        /// <param name="header">Authorization header</param>
        /// <param name="realm">Realm that should be authenticated</param>
        /// <param name="httpVerb">GET/POST/PUT/DELETE etc.</param>
        /// <returns>Authentication object that is stored for the request. A user class or something like that.</returns>
        /// <exception cref="ArgumentException">if authenticationHeader is invalid</exception>
        /// <exception cref="ArgumentNullException">If any of the paramters is empty or null.</exception>
        public IAuthenticationUser Authenticate(AuthorizationHeader header, string realm, string httpVerb)
        {
            if (header == null)
                throw new ArgumentNullException("realm");
            if (string.IsNullOrEmpty(realm))
                throw new ArgumentNullException("realm");
            if (string.IsNullOrEmpty(httpVerb))
                throw new ArgumentNullException("httpVerb");

            /*
             * To receive authorization, the client sends the userid and password,
                separated by a single colon (":") character, within a base64 [7]
                encoded string in the credentials.*/
            string decoded = Encoding.UTF8.GetString(Convert.FromBase64String(header.Data));
            int pos = decoded.IndexOf(':');
            if (pos == -1)
                throw new BadRequestException("Invalid basic authentication header, failed to find colon.");

            string password = decoded.Substring(pos + 1, decoded.Length - pos - 1);
            string userName = decoded.Substring(0, pos);

            var user = _userProvider.Lookup(userName, realm);
            if (user == null)
                return null;

            if (user.Password == null)
            {
                var ha1 = DigestAuthentication.GetHA1(realm, userName, password);
                if (ha1 != user.HA1)
                    return null;
            }
            else
            {
                if (password != user.Password)
                    return null;
            }

            return user;
        }
Пример #3
0
        /// <summary>
        /// An authentication response have been received from the web browser.
        /// Check if it's correct
        /// </summary>
        /// <param name="header">Authorization header</param>
        /// <param name="realm">Realm that should be authenticated</param>
        /// <param name="httpVerb">GET/POST/PUT/DELETE etc.</param>
        /// <param name="options">Not used in basic auth</param>
        /// <returns>Authentication object that is stored for the request. A user class or something like that.</returns>
        /// <exception cref="ArgumentException">if authenticationHeader is invalid</exception>
        /// <exception cref="ArgumentNullException">If any of the paramters is empty or null.</exception>
        public bool Authenticate(AuthorizationHeader header, string realm, string httpVerb, object[] options)
        {
            if (header == null)
                throw new ArgumentNullException("realm");
            if (string.IsNullOrEmpty(realm))
                throw new ArgumentNullException("realm");
            if (string.IsNullOrEmpty(httpVerb))
                throw new ArgumentNullException("httpVerb");

            /*
             * To receive authorization, the client sends the userid and password,
                separated by a single colon (":") character, within a base64 [7]
                encoded string in the credentials.*/
            string decoded = Encoding.UTF8.GetString(Convert.FromBase64String(header.Data));
            int pos = decoded.IndexOf(':');
            if (pos == -1)
                return false;

            string password = decoded.Substring(pos + 1, decoded.Length - pos - 1);
            string userName = decoded.Substring(0, pos);
            var context = new BasicAuthenticationContext(realm, userName, password);
            return _handler(context);
        }
Пример #4
0
        /// <summary>
        /// An authentication response have been received from the web browser.
        /// Check if it's correct
        /// </summary>
        /// <param name="header">Contents from the Authorization header</param>
        /// <param name="realm">Realm that should be authenticated</param>
        /// <param name="httpVerb">GET/POST/PUT/DELETE etc.</param>
        /// <param name="options">First option: true if username/password is correct but not cnonce</param>
        /// <returns>
        /// Authentication object that is stored for the request. A user class or something like that.
        /// </returns>
        /// <exception cref="ArgumentException">if authenticationHeader is invalid</exception>
        /// <exception cref="ArgumentNullException">If any of the parameters is empty or null.</exception>
        public bool Authenticate(AuthorizationHeader header, string realm, string httpVerb, object[] options)
        {
            if (header == null)
                throw new ArgumentNullException("header");

            lock (_nonces)
            {
                if (_timer == null)
                    _timer = new Timer(ManageNonces, null, 15000, 15000);
            }

            if (!header.Scheme.Equals("digest", StringComparison.OrdinalIgnoreCase))
                return false;

            var parameters = HeaderParameterCollection.Parse(new StringReader(header.Data));
            if (!IsValidNonce(parameters["nonce"]) && !DisableNonceCheck)
                return false;

            // request authentication information
            string username = parameters["username"];
            DigestContext context = new DigestContext(realm, username);
            if (!_authenticator(context))
                return false;

            // Encode authentication info
            string HA1;
            if (string.IsNullOrEmpty(context.HA1))
            {
                string A1 = String.Format("{0}:{1}:{2}", username, realm, context.Password);
                HA1 = GetMD5HashBinHex2(A1);
            }
            else
                HA1 = context.HA1;

            // encode challenge info
            string A2 = String.Format("{0}:{1}", httpVerb, parameters["uri"]);
            string HA2 = GetMD5HashBinHex2(A2);
            string hashedDigest = Encrypt(HA1, HA2, parameters["qop"],
                                          parameters["nonce"], parameters["nc"], parameters["cnonce"]);

            //validate
            return parameters["response"] == hashedDigest;
        }