Article Directory
- Foreword
- Some preparation
- Understand the characteristics under the HTTP protocol
- What is the HTTP protocol?
- An HTTP request contains what information?
- A standard HTTP server response is what?
- Features of the HTTP protocol
- What is a domain name, what is the sub-domain, what is the cross-domain
- Do not be silly not tell the Cookie and Session
- Landing authorization
- What is the evidence
- Common authorization landing mode
- Cross-subdomain solution
- Cross-domain landed Center Solutions
- Oauth2
- Reference material
Probably a little better layout of the original permanent address: a common web landing Authorization and principle
Foreword
This paper mainly for web authorize the landing part, will start from the first principle to explore the realization of the principle of HTTP protocol, and then discusses how to transfer the login credentials and authorization according to the characteristics of the HTTP protocol; and finally finishing under common authorization landing mode.
Some preparation
Understand the characteristics under the HTTP protocol
What is the HTTP protocol?
HTTP protocol, is a browser and a web server interaction specification; browser needs to initiate a request according to the HTTP protocol specification, the server returns the response data required in accordance with the HTTP protocol specification;
An HTTP request contains what information?
First look at a sample HTTP request
POST http://www.baidu.com?id=1 HTTP/1.0
Accept: text/html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: BIDUPSID=261A05061D8C4F2F40046ED513E0E666;
DNT: 1
Host: www.baidu.com
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
name=1&password=2
The following structure:
[image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-MVowtKvq-1583726052504) ( https://blog.wj2015.com/wp-content/uploads/ 2019/11/13263206-dde2fc0423a9f861.jpeg) ]
request comprising, GET / POST / PUT / PATCH / DELETE / OPTIONS , etc., the rest of the knowledge it would not be launched.
A standard HTTP server response is what?
First, look at the sample
HTTP/1.0 200 OK
Cache-Control: private
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Content-Length: 12345
Date: Fri, 29 Nov 2019 07:26:29 GMT
Expires: Fri, 29 Nov 2019 07:26:29 GMT
Server: BWS/1.1
Set-Cookie: BDSVRTM=104; path=/
Set-Cookie: BD_HOME=1; path=/
Set-Cookie: H_PS_PSSID=1455_21098_18560_20697_30089_22158; path=/; domain=.baidu.com
Strict-Transport-Security: max-age=172800
Traceid: 1575012389282792346617750770023830247734
Transfer-Encoding: chunked
X-Ua-Compatible: IE=Edge,chrome=1
<html>
.....
</html>
The following structure:
[image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (https://blog.wj2015.com/wp-content/uploads/ (img-mEsJkSfs-1583726052505 ) 2019/11/13263206-af1aeca1688f4185.jpeg) ]
common response status codes including, 200/404/502/500/304/302,
Features of the HTTP protocol
HTTP is stateless, this request and the last request completely separated; the server can not determine the identity of the user, need to learn special markup identity of the user (authentication) in the request header browser.
How do I view the request header in Chrome, first-class response information
Open chrome browser, enter http://www.baidu.com
, press F12
again F5
to refresh, click on the Network
tab, select the first request, declining to find Request Headers
content below.
[Image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-iTwPCYez-1583726052506) ( https://blog.wj2015.com/wp-content/uploads/2019/11 /a85a32f2bee1008a036968076d1ee29b.png)]
What is a domain name, what is the sub-domain, what is the cross-domain
Can be used as an alias domain name is the address of the server, the domain name is first resolved to IP DNS service, communicate with the server via the IP will be able to; such is the site domain name wj2015.com
, is .com
a domain name under the top-level domain; blog.wj2015.com
a domain name of this blog, is wj2015.com
a two subdomains under, also known as second-level domain;
used before bloggers wj2015.com.cn
, this is a .cn
second-level domain under the top-level domain, blog.wj2015.com.cn
is a three-level sub-domain under its.
Cross-domain short introduction
Cross-domain is a concept browser for user security put forward; meet one of the following three conditions, namely cross-domain:
- Different domain names (such as: http: //blog.wj2015.com and http://excel.wj2015.com)
- Different ports (eg: http: //blog.wj2015.com: 80 and http://blog.wj2015.com:8080)
- Different protocols (such as: http: //blog.wj2015.com and https://blog.wj2015.com)
If the requested service is cross-domain end of the current page, then you can not send GET / POST and other request by normal methods, such as:
in blog.wj2015.com
the page, request www.baidu.com
an Interface
$.ajax({
url: 'http://www.baidu.com',
});
Error results are as follows:
Access to XMLHttpRequest at ‘https://www.baidu.com/’ from origin ‘https://blog.wj2015.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
Why mention cross-domain?
Since the actual project landing authorization, may span multiple business; authorization across multiple business may be sub-domain, cross-port, or even require the requester to any name, and therefore also need to know what the next request is not cross-domain restrictions.
Data are generally not subject to cross-domain resource class limit
- The script is loaded, you can use cross-domain JSONP
- img / video / audio media resource loading, can be hidden in other domains Get request forgery
- embedded iframe page, but under cross-domain case, the parent page can not obtain sub-page data can be used to hide other type of fake domain name request Post
Do not be silly not tell the Cookie and Session
Cookie is stored in the browser small amount of data, each request will be placed in all Request Headers
of Cookies:
the data to ;
the partition
Session is stored in the browser data uploaded by client SessionId (document) stored in the lookup server data corresponding to the server in the response header may be Set-Cookie
the browser in Cookie control.
Cookie and Session have to do with it? Previously mentioned HTTP is a stateless protocol, a server that the client wants to confirm whether you are requested before, you need to transfer a certificate (can be understood as a unique identification number), while the conventional practice is to store this certificate in the Cookie, every request is automatically put on credentials, credentials rear automatic matching, information acquired Session.
Landing authorization
What is the evidence
Voucher equivalent to a temporary identification number issued by the server to the client, the client used to mark identity
Common authorization landing mode
Security Issues
issued certificates can be broadly divided into two types, one is whether or not the user login credentials are issued; the other is issued only if the access credentials verified, only subtle difference between the two.
Cookie, Session mode
Mentioned above, Session is to mark the user information through the Cookie SessionId, so there will be advantages and disadvantages of the following
advantages:
- Browser automatically initiate a request to bring proof, easy to deal with unity
- Do some configuration can be achieved across the sub-domain authorization
Disadvantages:
- Every request with a Cookie, even if it will bring in the picture, js and other resource loading, there is a certain waste of resources
- Can not do cross-domain (non-child) Delegation
- There are platform restrictions, there is no part of the platform concept Cookie, such as small program
AccessToken mode, use the Custom Header carry credentials
This mode is generally through after landing verification will be awarded to the client's credentials, client self-storage, such as a Web browser, you can choose exist LocalStroage, SessionStorage, etc., when the request into Headers, Get parameters.
Advantage:
- Universal multi-platform, Android, IOS, PC client, applets can be used
- You can do cross-domain authorization
- Compared Cookie programs to reduce the data request carries Cookie
- Anti-CSRF
disadvantages: - Both front and rear ends need to add special logic effectiveness Token acquires corresponding data, etc., may cause some trouble
JWT(JSON WEB TOKEN)
JWT is a kind of data is completely stored in an authentication mechanism client, using the signature to ensure data accuracy;
JWT data by the head, load, consisting of signature
head
The main way to specify version and signature
{
"typ": "JWT",
"alg": "HS256"
}
Base64 string needs to be generated
Load
It used to store the actual data, the expiration time, the issue of time
{ "iss": "Online JWT Builder",
"iat": 1416797419,
"exp": 1448333419,
"aud": "www.example.com",
"sub": "[email protected]",
"GivenName": "Johnny",
"Surname": "Rocket",
"Email": "[email protected]",
"Role": [ "Manager", "Project Administrator" ]
}
Still need to generate a Base64 string
signature
The two strings obtained above splicing together, good protection key according to an encryption algorithm defined on the head and a server, generates the signature
The head load, signature stitched together, namely JWT
Advantage:
- SESSION server without storing data
- Good, then key storage, security, secure, end users do not worry about tampering with the data
weaknesses: - Every acquisition, issuance, changes need to verify / signature generation, resulting in a lot of trouble to modify the data
- Dependent Cookie, likely to cause problems such request header is too large
[Image dump the chain fails, the source station may have security chain mechanism, it is recommended to save the picture down uploaded directly (img-sBhWcxRo-1583726052514) (https://blog.wj2015.com/wp-content/uploads/2019/11 /aa3fe6d311484c7c0a0fb97b3ab9f090.png)]
Cross-subdomain solution
By default, Cookie valid only for the current domain name, when the server returns Set-Cookie
issue certificates when configured Path:/
, Cookie information it will bring top-level domain that is set up, you can simply cross-subdomain authorization;
Since Accesson-Token cross-domain restrictions, if need across subdomains, cross-domain or completely the need for a cross-domain login below center solutions.
Cross-domain landed Center Solutions
Oauth2
Oauth2 is also a cross-domain login center solutions, micro-channel authorized to log on daily to see, QQ authorize landing all use this mode.
Oauth2 a total of four licensing model, authorization code mode, reduced mode, password mode, client mode;
flow chart below for tripartite landing micro letter only, Oauth2 more specific references can be found below;
Reference material
HTTP study notes
talk about the OAuth 2.0 authorization letter with the micro-Login