Is it possible to skip the first anonymous request to a webserver?

StackOverflow https://stackoverflow.com/questions/20115640

  •  03-08-2022
  •  | 
  •  

سؤال

On a webserver with Kerberos the client will send a request anonymously, and get a 401 status back. Then it sends the same request again, with authentication, and now get a 200 status back. Is it possible to set up a web application in MVC/JavaScript/etc to know that an anonymous request is futile and go stright for the user authentication request? For a specific case I am using jQuery and AJAX that is pulling data from a server at short intervals.

UPDATE: I want the client to know that there is no use sending an anonymous request, so it can just as well send a request with a username the first time. Why sending an anonymous request in the first place when you absolutely know you will only get a 401 back?

هل كانت مفيدة؟

المحلول

Based on this answer, you should just use beforeSend callback and then add the Authorization header on your own.

نصائح أخرى

You are looking for preemptive authentication and this is highly discouraged. Do not send credentials unless the server challenges you otherwise you may reveal secrets to an unknown server.

update as you don't need to allow anonymous access.

You could remove default IIS authentication module and/or add your own custom HttpModule for a specific part

  <location path="PathToWebApi">
    <system.web>
      <httpModules>
        <!-- default IIS HttpModules  -->
        <remove name="WindowsAuthentication"/>
        <remove name="FormsAuthentication"/>
        <remove name="PassportAuthentication"/>
        <remove name="RoleManager"/>
        <remove name="UrlAuthorization"/>
        <remove name="FileAuthorization"/>
        <remove name="AnonymousIdentification"/>
        <remove name="Profile"/>
        <add name="CustomAuthentication" type="Your.NameSpace.CustomAuthentication"/>
      </httpModules>
    </system.web>
    <system.webServer>
      <modules runAllManagedModulesForAllRequests="false">
        <add name="CustomAuthentication" type="Your.NameSpace.CustomAuthentication" preCondition="managedHandler"/>
      </modules>
  </location>

You can implement CustomAuthentication : IHttpModule class that inspect incoming request context and set current user identity depend on your custom logic.

    public void Init(HttpApplication context)
    {
        //add event listener to authenticate Http request
        //context.AuthenticateRequest += new EventHandler(AuthenticateRequest); //Session is null at AuthenticateRequest state
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }
مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top