问题描述
我们很少有通过 Bearer令牌身份验证流程访问的Web API。现在,我们还需要通过基于 Proxy 的身份验证来支持这些API(例如,Basic,Digest,NTLM)。到目前为止,我已经能够测试 Bearer令牌身份验证和 Basic 身份验证,现在我正在研究 Digest 身份验证。
由于Bearer令牌流使用 Authorization 标头,而代理摘要式身份验证在客户端和代理服务器之间的身份验证流中也具有Authorization标头的重叠/冲突用法。我们可以同时实现两种身份验证方案(承载者和代理摘要)吗?
在客户端,我使用了Java中的 okhttp-digest (https://github.com/rburgst/okhttp-digest)库。在测试代理服务器上的摘要身份验证方案时,我尝试了使用 digest_auth 模块的{strong> Squid 服务器和 Nginx / OpenResty 服务器({{3} }),但任何代理服务器都没有运气。如果是Squid服务器,它将用当前URL的主机替换从客户端发送的自定义 Host 标头(Web API端不希望如此)。在使用Nginx / OpenResty的情况下,它会发送 401 ,在代理身份验证的情况下okhttp-digest与之不兼容。
OpenResty / Nginx中的模块是否特别有用,可以帮助我从客户端/代理服务器端实现两种身份验证?
目前,我正在研究如何在后续请求中在客户端成功进行身份验证时发送Bearer令牌,尽管我不确定它是否会起作用或在代理服务器端再次发生冲突。
使用okhttp-digest库的客户端代码。
import com.burgstaller.okhttp.AuthenticationCacheInterceptor;
import com.burgstaller.okhttp.CachingAuthenticatorDecorator;
import com.burgstaller.okhttp.dispatchingAuthenticator;
import com.burgstaller.okhttp.basic.BasicAuthenticator;
import com.burgstaller.okhttp.digest.CachingAuthenticator;
import com.burgstaller.okhttp.digest.Credentials;
import com.burgstaller.okhttp.digest.DigestAuthenticator;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.logging.HttpLoggingInterceptor;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
public class Test {
public static String bearerToken = "Bearer abc";
public static void main(String[] args) throws Exception {
Proxy proxy = new Proxy(Proxy.Type.HTTP,new InetSocketAddress("192.168.0.3",80));
HttpLoggingInterceptor logging = new HttpLoggingInterceptor();
logging.setLevel(HttpLoggingInterceptor.Level.HEADERS);
OkHttpClient.Builder builder = new OkHttpClient.Builder();
final Map<String,CachingAuthenticator> authCache = new ConcurrentHashMap<>();
Credentials credentials = new Credentials("username","password");
final BasicAuthenticator basicAuthenticator = new BasicAuthenticator(credentials);
final DigestAuthenticator digestAuthenticator = new DigestAuthenticator(credentials);
dispatchingAuthenticator authenticator = new dispatchingAuthenticator.Builder()
.with("digest",digestAuthenticator)
.build();
final OkHttpClient client = builder
.proxy(proxy)
.proxyAuthenticator(new CachingAuthenticatorDecorator(authenticator,authCache))
.addInterceptor(new AuthenticationCacheInterceptor(authCache))
.addInterceptor(logging)
.build();
String url = "http://www.example.com";
Request request = new Request.Builder()
.url(url)
.method("GET",null)
.addHeader("Host","admin.example.com")
.addHeader("Authorization",bearerToken)
.get()
.build();
Response response = client.newCall(request).execute();
System.out.println(response.body().string());
}
}
OpenResty内的Nginx.conf(使用auth_digest和其他必需的模块构建)。
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/Nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
resolver 114.114.114.114;
# resolver 8.8.8.8;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time req_header:"$req_header" req_body:"$request_body" '
'resp_header:"$resp_header" resp_body:"$resp_body"';
lua_need_request_body on;
body_filter_by_lua '
local resp_body = string.sub(ngx.arg[1],1,1000)
ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
if ngx.arg[2] then
ngx.var.resp_body = ngx.ctx.buffered
end
';
header_filter_by_lua '
local h = ngx.req.get_headers()
for k,v in pairs(h) do
ngx.var.req_header = ngx.var.req_header .. k.."="..v.." "
end
local rh = ngx.resp.get_headers()
for k,v in pairs(rh) do
ngx.var.resp_header = ngx.var.resp_header .. k.."="..v.." "
end
';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
set $resp_body "";
set $req_header "";
set $resp_header "";
auth_digest_user_file /etc/proxy/users_digest;
auth_digest 'realm';
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
add_header X-DEBUG-MSG-1 "$uri";
add_header X-DEBUG-MSG-2 "$http_authorization";
proxy_set_header Host $host;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Host;
proxy_pass_header Authorization;
proxy_pass $scheme://$host$request_uri;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name localhost;
set $resp_body "";
set $req_header "";
set $resp_header "";
auth_digest_user_file /etc/proxy/users_digest;
auth_digest 'realm';
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
ssl_certificate /etc/ssl/certs/Nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/Nginx-selfsigned.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
add_header X-DEBUG-MSG-1 "$uri";
add_header X-DEBUG-MSG-2 "$http_authorization";
proxy_set_header Host $host;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Host;
proxy_pass_header Authorization;
proxy_pass $scheme://$host$request_uri;
}
}
}
PS ,我认为我不能将 Nginx 与 digest_auth 模块一起使用,因为它总是返回 401 (带有 WWW-Authenticate 响应标头,而不是 Proxy-Authenticate 响应标头),因为它希望在 Authorization 请求标头而不是 Proxy-Authorization中获得摘要身份验证信息请求标头。因此,为了测试Digest身份验证方案,我需要一个转发代理服务器(类似于 Squid ,而不是 Squid本身,因为它弄乱了使用主机请求标头(这在我的用例中是不希望的)进行代理身份验证,而不是服务器身份验证。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)