11 Ustanovlenie podlinnosti dostupa (Access Authentication).
HTTP obespechivaet dlya ustanovleniya podlinnosti prostoj mehanizm vyzov-otvet (challenge-response), kotoryj MOZHET ispol'zovat'sya serverom dlya vyzova (challenge) klientskogo zaprosa, a klientom dlya predostavleniya opoznavatel'noj informacii (authentication information). On ispol'zuet rasshiryaemuyu, ne chuvstvitel'nuyu k registru leksemu identifikacii shemy ustanovleniya podlinnosti (authentication scheme) i otdelennyj zapyatoj spisok par atribut-znachenie (attribute-value), kotorye predstavlyayut parametry, neobhodimye dlya ustanovleniya podlinnosti s ispol'zovaniem etoj shemy.
auth-scheme = token auth-param = token "=" quoted-string
Soobshchenie otveta s kodom 401 (Nesankcionirovan, Unauthorized) ispol'zuetsya pervonachal'nym serverom dlya vyzova (challenge) ustanovleniya podlinnosti (authorization) agentom pol'zovatelya. |tot otvet DOLZHEN soderzhat' pole zagolovka WWW-Authenticate, vklyuchayushchee po krajnej mere odin vyzov (challenge), primenimyj k zaproshennomu resursu.
challenge = auth-scheme 1*SP realm *( "," auth-param ) realm = "realm" "=" realm-value realm-value = quoted-string
Atribut oblasti (realm) (ne chuvstvitel'nyj k registru) trebuetsya dlya vseh shem ustanovleniya podlinnosti, kotorye vydayut vyzov (challenge). Znachenie attributa realm (chuvstvitel'noe k registru), v kombinacii s kanonicheskim kornevym URL (smotret' razdel 5.1.2) servera, k kotoromu obrashchen zapros, opredelyaet oblast' zashchity (protection space). |ti oblasti pozvolyayut razbivat' zashchishchennye resursy servera na mnozhestvo oblastej, kazhdaya iz kotoryh imeet sobstvennuyu opoznavatel'nuyu shemu i/ili bazu dannyh ustanovleniya podlinnosti (authorization database). Znachenie realm - stroka, voobshche govorya naznachennaya pervonachal'nym serverom, kotoraya mozhet imet' dopolnitel'nuyu semantiku, specificheskuyu dlya shemy ustanovleniya podlinnosti (authentication scheme).
Agent pol'zovatelya, kotoryj hochet dokazat' svoyu podlinnost' serveru, obychno, no ne obyazatel'no, MOZHET eto sdelat' posle polucheniya otveta s kodom sostoyaniya 401 ili 411, vklyuchiv pole zagolovka Authorization v zapros. Znachenie polya Authorization sostoit iz rekomendacij (credentials), soderzhashchih informaciyu ustanovleniya podlinnosti (authentication information) agenta pol'zovatelya dlya oblasti (realm) zaproshennogo resursa.
credentials = basic-credentials | auth-scheme #auth-param
Oblast' (domain), nad kotoroj rekomendacii (credentials) mogut avtomaticheski primenyat'sya agentom pol'zovatelya, opredelena oblast'yu zashchity (protection space). Esli podlinnost' byla ustanovlena predshestvuyushchim zaprosom, to eti zhe rekomendacii (credentials) MOGUT ispol'zovat'sya mnogokratno vo vseh drugih zaprosah vnutri etoj oblasti zashchity (protection space) v techenii vremeni, opredelennogo shemoj ustanovleniya podlinnosti, parametrami, i/ili ustanovkami pol'zovatelya. Esli shemoj ustanovleniya podlinnosti ne opredeleno inogo, to odinochnaya oblast' zashchity (protection space) ne mozhet prostirat'sya shire oblasti servera (the scope of its server).
Esli server ne zhelaet prinimat' rekomendacii (credentials), poslannye v zaprose, to emu SLEDUET vozvratit' otvet s kodom 401 (Nesankcionirovan, Unauthorized). Otvet DOLZHEN vklyuchat' pole zagolovka WWW-Authenticate, soderzhashchee (vozmozhno novyj) vyzov (challenge), primenimyj k zaproshennomu resursu, i ob®ekt, ob®yasnyayushchij otkaz.
Protokol HTTP ne ogranichivaet prilozheniya ispol'zovaniem etogo prostogo mehanizma vyzov-otvet (challenge-response) dlya ustanovleniya podlinnosti dostupa. MOZHNO ispol'zovat' dopolnitel'nye mehanizmy, takie kak shifrovanie na transportnom urovne ili formirovanie paketa soobshcheniya (message encapsulation) s dopolnitel'nymi polyami zagolovka, opredelyayushchimi informaciyu ustanovleniya podlinnosti. Odnako eti dopolnitel'nye mehanizmy ne opredeleny v etoj specifikacii.
Proksi-servera DOLZHNY byt' polnost'yu prozrachny dlya ustanovleniya podlinnosti agenta pol'zovatelya. To est' oni DOLZHNY peresylat' zagolovki WWW-Authenticate i Authorization netronutymi i sledovat' pravilam razdela 14.8.
HTTP/1.1 pozvolyaet klientu peredavat' informaciyu ustanovleniya podlinnosti dlya i ot proksi-servera posredstvom zagolovkov Proxy-Authenticate i Proxy-Authorization.
11.1 Bazovaya shema ustanovleniya podlinnosti (Basic Authentication Scheme).
"Bazovaya" shema ustanovleniya podlinnosti osnovana na tom, chto agent pol'zovatelya dolzhen dokazyvat' svoyu podlinnost' pri pomoshchi identifikatora pol'zovatelya (user-ID) i parolya (password) dlya kazhdoj oblasti (realm). Znacheniyu oblasti (realm) sleduet byt' neprozrachnoj (opaque) strokoj, kotoruyu mozhno proveryat' tol'ko na ravenstvo s drugimi oblastyami na etom servere. Server obsluzhit zapros, tol'ko esli on mozhet proverit' pravil'nost' identifikatora pol'zovatelya (user-ID) i parolya (password) dlya zashchishchennoj oblasti (protection space) zaproshennogo URI (Request-URI). Nikakih opcional'nyh opoznavatel'nyh parametrov net.
Posle polucheniya zaprosa na URI, nahodyashchijsya v zashchishchaemoj oblasti (protection space), server MOZHET otvetit' vyzovom (challenge), podobnym sleduyushchemu:
WWW-Authenticate: Basic realm="WallyWorld"gde "WallyWorld" - stroka, naznachennaya serverom, kotoraya identificiruet oblast' zashchity zaprashivaemogo URI (Request-URI).
CHtoby poluchit' prava dostupa, klient posylaet identifikator pol'zovatelya (userid) i parol' (password), razdelennye odnim simvolom dvoetochiya (":"), vnutri base64-kodirovannoj stroki rekomendacij (credentials).
basic-credentials = "Basic" SP basic-cookie basic-cookie = <base64-kodirovannyj [7] user-pass, za isklyucheniem ne ogranichennyh 76 simvolami v stroke> user-pass = userid ":" password userid = *<TEXT ne soderzhashchij ":"> password = *TEXT
Userid mozhet byt' chuvstvitelen k registru.
Esli agent pol'zovatelya hochet poslat' identifikator pol'zovatelya (userid) "Aladdin", i parol' (password) "open sesame", on budet ispol'zovat' sleduyushchee pole zagolovka:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Soglasheniya o zashchite, svyazannye s bazovoj shemoj ustanovleniya podlinnosti, smotrite v razdele 15.
11.2 Obzornaya shema ustanovleniya podlinnosti (Digest Authentication Scheme).
Obzornoe ustanovlenie podlinnosti dlya HTTP opredelyaetsya v RFC 2069 [32].