curl总是返回两个标题

时间:2014-04-10 17:56:18

标签: security curl terminal

我尝试过使用Windows和Mac OS X中的curl,它们总能产生相同的效果。我正在发起针对领域的请求,我使用--digest标志进行身份验证:

curl <options> --digest --user admin <endpoint> -v -v --raw

我的所有通话都会产生两个标题:

* Adding handle: conn: 0x7f908c80ba00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f908c80ba00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8002 (#0)
*   Trying ::1...
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8002 (#0)
* Server auth using Digest with user 'admin'
> PUT /endpoint HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8002
> Accept: */*
> Content-type: application/xml
> Content-Length: 0
> 
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Digest realm="public", qop="auth", nonce="e54fba22d0eca67e26155cf243dcf4ca", opaque="370985129eb9e9d5"
< Content-type: application/xml
* Server <X> is not blacklisted
< Server: <X>
< Content-Length: 173
< Connection: Keep-Alive
< Keep-Alive: timeout=5
< 
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8002/endpoint'
* Found bundle for host localhost: 0x7f908b6095c0
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 8002 (#0)
* Adding handle: conn: 0x7f908c80ba00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f908c80ba00) send_pipe: 1, recv_pipe: 0
* Server auth using Digest with user 'admin'
> PUT /endpoint HTTP/1.1
> Authorization: Digest username="admin", realm="public", nonce="e54fba22d0eca67e26155cf243dcf4ca", uri="/endpoint", cnonce="ICAgICAgICAgICAgICAgICAgICAgIDEzOTc5NzM3MzY=", nc=00000001, qop=auth, response="47da275c9b69e8541ed335a040d4d10d", opaque="370985129eb9e9d5"
> User-Agent: curl/7.30.0
> Host: localhost:8002
> Accept: */*
> Content-type: application/xml
> Content-Length: 118
> 
* upload completely sent off: 118 out of 118 bytes
< HTTP/1.1 204 No Content
* Server <X> is not blacklisted
< Server: <X>
< Content-Length: 0
< Connection: Keep-Alive
< Keep-Alive: timeout=5
< 
* Connection #0 to host localhost left intact

为什么我总是得到401标题?我希望看到--anyauth标志而不是--digest

3 个答案:

答案 0 :(得分:3)

你可以看到所有标题卷曲。

使用--digest curl必须首先获得401才能获得nonce等能够执行第二个获取真实数据的请求。

使用--anyauth,curl甚至不会假设存在身份验证,因此它首先通过执行普通请求来“探测”页面(很像浏览器会这样做),然后基于401响应它会采取行动。所以,是的,如果你做--anyuth,如果然后curl认为摘要是最合适的身份验证方法,服务器说它支持资源,那么将有3个请求发送给服务器。

答案 1 :(得分:1)

要在使用http授权的HTTP服务器上进行正确身份验证,需要向服务器发出至少1个请求以获取所使用的授权类型。这是它的第一个请求。服务器使用用于将密码发送到服务器的编码方法响应此请求,在这种情况下它是:

< WWW-Authenticate: Digest realm="public", qop="auth", nonce="e54fba22d0eca67e26155cf243dcf4ca", opaque="370985129eb9e9d5"

客户端从服务器收到的这些值用于生成带密码的哈希值,因此嗅探器无法在没有暴力破解密码的情况下查找密码。 Wikipedia准确描述了如何使用密码对nonce进行哈希处理以生成密钥。这些哈希用于将另一个HTTP请求发送回服务器,如以下输出所示

  

授权:Digest username =“admin”,realm =“public”,nonce =“e54fba22d0eca67e26155cf243dcf4ca”,uri =“/ endpoint”,cnonce =“ICAgICAgICAgICAgICAgICAgICAgIDEzOTc5NzM3MzY =”,nc = 00000001,qop = auth,response =“47da275c9b69e8541ed335a040d4d10d “,opaque =”370985129eb9e9d5“

这是curl发出的第二个请求,并上传您要发送的实际数据(0个字节到/端点)

答案 2 :(得分:0)

Curl发出两个请求,因为它需要401响应中服务器提供的nonce(随机,单次使用值),因此它可以创建一个正确的WWW-Authenticate头。

相关问题
最新问题