Common web landing Authorization and principle

Language 2020-03-09 12:27:03 views: null

Article Directory

Probably a little better layout of the original permanent address: a common web landing Authorization and principle

Foreword

This paper mainly for web authorize the landing part, will start from the first principle to explore the realization of the principle of HTTP protocol, and then discusses how to transfer the login credentials and authorization according to the characteristics of the HTTP protocol; and finally finishing under common authorization landing mode.

Some preparation

Understand the characteristics under the HTTP protocol

What is the HTTP protocol?

HTTP protocol, is a browser and a web server interaction specification; browser needs to initiate a request according to the HTTP protocol specification, the server returns the response data required in accordance with the HTTP protocol specification;

An HTTP request contains what information?

First look at a sample HTTP request

POST http://www.baidu.com?id=1 HTTP/1.0
Accept: text/html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: BIDUPSID=261A05061D8C4F2F40046ED513E0E666;
DNT: 1
Host: www.baidu.com
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36

name=1&password=2

The following structure:
[image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-MVowtKvq-1583726052504) ( https://blog.wj2015.com/wp-content/uploads/ 2019/11/13263206-dde2fc0423a9f861.jpeg) ]
request comprising, GET / POST / PUT / PATCH / DELETE / OPTIONS , etc., the rest of the knowledge it would not be launched.

A standard HTTP server response is what?

First, look at the sample

HTTP/1.0 200 OK
Cache-Control: private
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Content-Length: 12345
Date: Fri, 29 Nov 2019 07:26:29 GMT
Expires: Fri, 29 Nov 2019 07:26:29 GMT
Server: BWS/1.1
Set-Cookie: BDSVRTM=104; path=/
Set-Cookie: BD_HOME=1; path=/
Set-Cookie: H_PS_PSSID=1455_21098_18560_20697_30089_22158; path=/; domain=.baidu.com
Strict-Transport-Security: max-age=172800
Traceid: 1575012389282792346617750770023830247734
Transfer-Encoding: chunked
X-Ua-Compatible: IE=Edge,chrome=1

<html>
.....
</html>

The following structure:
[image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (https://blog.wj2015.com/wp-content/uploads/ (img-mEsJkSfs-1583726052505 ) 2019/11/13263206-af1aeca1688f4185.jpeg) ]
common response status codes including, 200/404/502/500/304/302,

Features of the HTTP protocol

HTTP is stateless, this request and the last request completely separated; the server can not determine the identity of the user, need to learn special markup identity of the user (authentication) in the request header browser.

How do I view the request header in Chrome, first-class response information

Open chrome browser, enter http://www.baidu.com, press F12again F5to refresh, click on the Networktab, select the first request, declining to find Request Headerscontent below.
[Image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-iTwPCYez-1583726052506) ( https://blog.wj2015.com/wp-content/uploads/2019/11 /a85a32f2bee1008a036968076d1ee29b.png)]

What is a domain name, what is the sub-domain, what is the cross-domain

Can be used as an alias domain name is the address of the server, the domain name is first resolved to IP DNS service, communicate with the server via the IP will be able to; such is the site domain name wj2015.com, is .coma domain name under the top-level domain; blog.wj2015.coma domain name of this blog, is wj2015.coma two subdomains under, also known as second-level domain;
used before bloggers wj2015.com.cn, this is a .cnsecond-level domain under the top-level domain, blog.wj2015.com.cnis a three-level sub-domain under its.

Cross-domain short introduction

Cross-domain is a concept browser for user security put forward; meet one of the following three conditions, namely cross-domain:

  • Different domain names (such as: http: //blog.wj2015.com and http://excel.wj2015.com)
  • Different ports (eg: http: //blog.wj2015.com: 80 and http://blog.wj2015.com:8080)
  • Different protocols (such as: http: //blog.wj2015.com and https://blog.wj2015.com)

If the requested service is cross-domain end of the current page, then you can not send GET / POST and other request by normal methods, such as:
in blog.wj2015.comthe page, request www.baidu.coman Interface

$.ajax({
	url: 'http://www.baidu.com',
});

Error results are as follows:

Access to XMLHttpRequest at ‘https://www.baidu.com/’ from origin ‘https://blog.wj2015.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Here Insert Picture Description

Why mention cross-domain?

Since the actual project landing authorization, may span multiple business; authorization across multiple business may be sub-domain, cross-port, or even require the requester to any name, and therefore also need to know what the next request is not cross-domain restrictions.

Data are generally not subject to cross-domain resource class limit

  • The script is loaded, you can use cross-domain JSONP
  • img / video / audio media resource loading, can be hidden in other domains Get request forgery
  • embedded iframe page, but under cross-domain case, the parent page can not obtain sub-page data can be used to hide other type of fake domain name request Post

Do not be silly not tell the Cookie and Session

Cookie is stored in the browser small amount of data, each request will be placed in all Request Headersof Cookies:the data to ;the partition
Session is stored in the browser data uploaded by client SessionId (document) stored in the lookup server data corresponding to the server in the response header may be Set-Cookiethe browser in Cookie control.
Cookie and Session have to do with it? Previously mentioned HTTP is a stateless protocol, a server that the client wants to confirm whether you are requested before, you need to transfer a certificate (can be understood as a unique identification number), while the conventional practice is to store this certificate in the Cookie, every request is automatically put on credentials, credentials rear automatic matching, information acquired Session.

Landing authorization

What is the evidence

Voucher equivalent to a temporary identification number issued by the server to the client, the client used to mark identity

Common authorization landing mode

Security Issues
issued certificates can be broadly divided into two types, one is whether or not the user login credentials are issued; the other is issued only if the access credentials verified, only subtle difference between the two.

Cookie, Session mode

Mentioned above, Session is to mark the user information through the Cookie SessionId, so there will be advantages and disadvantages of the following
advantages:

  • Browser automatically initiate a request to bring proof, easy to deal with unity
  • Do some configuration can be achieved across the sub-domain authorization

Disadvantages:

  • Every request with a Cookie, even if it will bring in the picture, js and other resource loading, there is a certain waste of resources
  • Can not do cross-domain (non-child) Delegation
  • There are platform restrictions, there is no part of the platform concept Cookie, such as small program

AccessToken mode, use the Custom Header carry credentials

This mode is generally through after landing verification will be awarded to the client's credentials, client self-storage, such as a Web browser, you can choose exist LocalStroage, SessionStorage, etc., when the request into Headers, Get parameters.
Advantage:

  • Universal multi-platform, Android, IOS, PC client, applets can be used
  • You can do cross-domain authorization
  • Compared Cookie programs to reduce the data request carries Cookie
  • Anti-CSRF
    disadvantages:
  • Both front and rear ends need to add special logic effectiveness Token acquires corresponding data, etc., may cause some trouble

JWT(JSON WEB TOKEN)

JWT is a kind of data is completely stored in an authentication mechanism client, using the signature to ensure data accuracy;
JWT data by the head, load, consisting of signature

head

The main way to specify version and signature

{
"typ": "JWT",
"alg": "HS256"
}

Base64 string needs to be generated

Load

It used to store the actual data, the expiration time, the issue of time

{ "iss": "Online JWT Builder",
  "iat": 1416797419,
  "exp": 1448333419,
  "aud": "www.example.com",
  "sub": "[email protected]",
  "GivenName": "Johnny",
  "Surname": "Rocket",
  "Email": "[email protected]",
  "Role": [ "Manager", "Project Administrator" ]
}

Still need to generate a Base64 string

signature

The two strings obtained above splicing together, good protection key according to an encryption algorithm defined on the head and a server, generates the signature

The head load, signature stitched together, namely JWT

Advantage:

  • SESSION server without storing data
  • Good, then key storage, security, secure, end users do not worry about tampering with the data
    weaknesses:
  • Every acquisition, issuance, changes need to verify / signature generation, resulting in a lot of trouble to modify the data
  • Dependent Cookie, likely to cause problems such request header is too large

[Image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-sBhWcxRo-1583726052514) (https://blog.wj2015.com/wp-content/uploads/2019/11 /aa3fe6d311484c7c0a0fb97b3ab9f090.png)]

Cross-subdomain solution

By default, Cookie valid only for the current domain name, when the server returns Set-Cookieissue certificates when configured Path:/, Cookie information it will bring top-level domain that is set up, you can simply cross-subdomain authorization;

Since Accesson-Token cross-domain restrictions, if need across subdomains, cross-domain or completely the need for a cross-domain login below center solutions.

Cross-domain landed Center Solutions

Here Insert Picture Description

Oauth2

Oauth2 is also a cross-domain login center solutions, micro-channel authorized to log on daily to see, QQ authorize landing all use this mode.
Oauth2 a total of four licensing model, authorization code mode, reduced mode, password mode, client mode;
flow chart below for tripartite landing micro letter only, Oauth2 more specific references can be found below;
Here Insert Picture Description

Here Insert Picture Description

Reference material

HTTP study notes
talk about the OAuth 2.0 authorization letter with the micro-Login

Hidden front Ruqiao
Published 16 original articles · won praise 0 · Views 94
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_34177812/article/details/104749354
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com