
Communicating with Authenticating HTTP Servers



本章介绍如何通过利用CFHTTPAuthentication API与验证HTTP服务器进行交互。它阐述了如何找到一个相匹配的认证对象和证书,将它们应用于一个HTTP请求,并保存它们供以后使用。

一般,如果一个HTTP服务器响应返回401或407响应你的请求后,这意味着服务器正在认证并需要证书。在CFHTTPAuthentication API中,任一证书集保存在CFHTTPAuthentication对象中。因此,每一个不同的认证服务器和每一个不同的用户与服务器的连接都要求单独的CFHTTPAuthentication对象。要与服务器的通信,你需要将你的CFHTTPAuthentication对象应用HTTP请求。接下来更详细的解释这些步骤。

Handling Authentication




图 4-1 处理认证


Figure 4-2 查找认证对象




表 4-1 创建一个认证对象

if (!authentication) {
    CFHTTPMessageRef responseHeader =
        (CFHTTPMessageRef) CFReadStreamCopyProperty(
    // Get the authentication information from the response.
    authentication = CFHTTPAuthenticationCreateFromResponse(NULL, responseHeader);

更多有关证书的详细信息, 请阅读 "Security Credentials".



表 4-2 查找到一个有效的认证对象

CFStreamError err;
if (!authentication) {
    // the newly created authentication object is bad, must return
} else if (!CFHTTPAuthenticationIsValid(authentication, &err)) {
    // destroy authentication and credentials
    if (credentials) {
        credentials = NULL;
    authentication = NULL;
    // check for bad credentials (to be treated separately)
    if (err.domain == kCFStreamErrorDomainHTTP &&
        (err.error == kCFStreamErrorHTTPAuthenticationBadUserName
        || err.error == kCFStreamErrorHTTPAuthenticationBadPassword))
    } else {


不用存储证书 (如下文中Keeping Credentials in Memory 和 Keeping Credentials in a Persistent Store所诉), 获取有效证书唯一方法是提示用户。大多数时候,证书需要用户名和密码。 通过将认证对象传入CFHTTPAuthenticationRequiresUserNameAndPassword方法,你可以知道是否需要用户名和密码。如果证书确实需要用户名和密码,请提示用户提供并将其存储在证书字典中。对于NTLM服务器来说,证书还需要一个域。当你拥有一个新的证书,你可以使用resumeWithCredentials函数将认证对象应用于HTTP请求如表4-4。这所有的过程如表4-3所示。

提示: 在代码列表中,当注释以省略号开头和结束时,意味着该操作不在本文档的范围内,但需要实现。 这与描述正在发生什么操作的正常注释不同。

表 4-3 查找证书(如果有必要)并应用证书 Finding

// ...continued from Listing 4-2
else {
    if (credentials) {
    // are a user name & password needed?
    else if (CFHTTPAuthenticationRequiresUserNameAndPassword(authentication))
        CFStringRef realm = NULL;
        CFURLRef url = CFHTTPMessageCopyRequestURL(request);
         // check if you need an account domain so you can display it if necessary
        if (!CFHTTPAuthenticationRequiresAccountDomain(authentication)) {
            realm = CFHTTPAuthenticationCopyRealm(authentication);
        // ...prompt user for user name (user), password (pass)
        // and if necessary domain (domain) to give to the server...
        // Guarantee values
        if (!user) user = CFSTR("");
        if (!pass) pass = CFSTR("");
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationUsername, user);
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationPassword, pass);
        // Is an account domain needed? (used currently for NTLM only)
        if (CFHTTPAuthenticationRequiresAccountDomain(authentication)) {
            if (!domain) domain = CFSTR("");
                                 kCFHTTPAuthenticationAccountDomain, domain);
        if (realm) CFRelease(realm);
    else {

表 4-4 应用认证对象去请求

void resumeWithCredentials() {
    // Apply whatever credentials we've built up to the old request
    if (!CFHTTPMessageApplyCredentialDictionary(request, authentication,
                                                credentials, NULL)) {
    } else {
        // Now that we've updated our request, retry the load

Keeping Credentials in Memory




CFMutableArrayRef authArray;

instead of:

CFHTTPAuthenticationRef authentication;

2.创建一个字典用于 认证对象到证书的映射。

CFMutableDictionaryRef credentialsDict;

instead of:

CFMutableDictionaryRef credentials;


CFDictionaryRemoveValue(credentialsDict, authentication);

instead of:



表 4-5 Looking for a matching authentication object

CFHTTPAuthenticationRef findAuthenticationForRequest {
    int i, c = CFArrayGetCount(authArray);
    for (i = 0; i < c; i ++) {
        CFHTTPAuthenticationRef auth = (CFHTTPAuthenticationRef)
                CFArrayGetValueAtIndex(authArray, i);
        if (CFHTTPAuthenticationAppliesToRequest(auth, request)) {
            return auth;
    return NULL;


表 4-6 Searching the credentials store

credentials = CFDictionaryGetValue(credentialsDict, authentication);


警告: 在接收到服务器质询前不要讲证书应用到HTTP请求。服务器自上次验证后可能已经更改,你可能会创造安全风险。


Keeping Credentials in a Persistent Store



CFMutableDictionaryRef findCredentialsForAuthentication(
        CFHTTPAuthenticationRef auth);
void saveCredentialsForRequest(void);


如果证书未在内存中缓存,则搜索钥匙串。使用h SecKeychainFindInternetPassword函数搜索钥匙串。这个函数需要大量的参数。参数以及如何用于HTTP认证证书的简短说明如下:

NULL 指定用户的默认钥匙串列表。
serverName的长度, 通常是 strlen(serverName).
安全域的长度, 如果没有安全域则为0。 在示例代码中, realm ? strlen(realm) : 0 被传入用来考虑两种情况。
认证对象的范围, 从 CFHTTPAuthenticationCopyRealm 函数中获得。
accountName的长度 。因为 accountNameNULL, 这个值是0.
获取钥匙串条目时没有账户名, 因此这应该是 NULL.
path的长度, 如果没有路径则为0。 在示例代码中, path ? strlen(path) : 0被传入用来考虑两种情况。
从认证对象获取的路径, 从CFURLCopyPath 函数中得到。
端口号, 从 CFURLGetPortNumber函数中得到。
代表协议类型的字符串, 比如 HTTP 或 HTTPS。 调用 CFURLCopyScheme 函数获得协议类型。
认证类型, 从 CFHTTPAuthenticationCopyMethod函数获得。
0, 因为获取钥匙串条目时不需要密码。

表 4-7 Searching the keychain

didFind =
                                    strlen(host), host,
                                    realm ? strlen(realm) : 0, realm,
                                    0, NULL,
                                    path ? strlen(path) : 0, path,
                                    0, NULL,

假设SecKeychainFindInternetPassword 返回成功, 创建包含一个钥匙串属性(SecKeychainAttribute)的钥匙串属性列表 (SecKeychainAttributeList)。钥匙串属性列表将包含用户名和密码。调用函数SecKeychainItemCopyContent并且传入SecKeychainFindInternetPassword返回的钥匙串引用对象(itemRef)去加载钥匙串属性列表。这个函数将用用户账户名和一个void **作为它的密码填充钥匙串属性 。


表 4-8 从钥匙串中加载服务器证书

if (didFind == noErr) {
    SecKeychainAttribute     attr;
    SecKeychainAttributeList attrList;
    UInt32                   length;
    void                     *outData;
    // To set the account name attribute
    attr.tag = kSecAccountItemAttr;
    attr.length = 0; = NULL;
    attrList.count = 1;
    attrList.attr = &attr;
    if (SecKeychainItemCopyContent(itemRef, NULL, &attrList, &length, &outData)
        == noErr) {
        // is the account (username) and outdata is the password
        CFStringRef username =
                                    attr.length, kCFStringEncodingUTF8, false);
        CFStringRef password =
            CFStringCreateWithBytes(kCFAllocatorDefault, outData, length,
                                    kCFStringEncodingUTF8, false);
        SecKeychainItemFreeContent(&attrList, outData);
        // create credentials dictionary and fill it with the user name & password
        credentials =
            CFDictionaryCreateMutable(NULL, 0,
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationUsername,
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationPassword,



表 4-9 Modifying the keychain entry

// Set the attribute to the account name
attr.tag = kSecAccountItemAttr;
attr.length = strlen(username); = (void*)username;
// Modify the keychain entry
SecKeychainItemModifyContent(itemRef, &attrList, strlen(password),
                             (void *)password);

在成功调用SecKeychainAddInternetPassword后,释放钥匙串项目引用对象,除非你需要使用它做其他事情。 请参见代码表4-10中的函数调用。

表 4-10 Storing a new keychain entry

                               strlen(host), host,
                               realm ? strlen(realm) : 0, realm,
                               strlen(username), username,
                               path ? strlen(path) : 0, path,
                               strlen(password), password,

Authenticating Firewalls

验证防火墙非常类似于验证服务器,除了每个失败的HTTP请求都必须检查代理验证和服务器验证。这意味着您需要为代理服务器和源服务器单独存储(本地和持久)。 因此,失败的HTTP响应的过程现在将是:

  • 确定响应的状态代码是否为407(代理质询)。 如果是,则通过检查本地代理存储和持久代理存储来查找匹配的认证对象和凭据。 如果两者都不具有匹配的对象和凭证,则请求用户的凭证。 将身份验证对象应用于HTTP请求,然后重试。
  • 确定响应状态代码是否为401(服务器质询)。 如果是,请按照与407响应相同的过程,但使用原始服务器存储。

使用代理服务器时,还要强制执行一些细微的差异。 第一个是钥匙串调用的参数来自代理主机和端口,而不是来自源服务器的URL。 第二个是当向用户请求用户名和密码时,确保提示清楚地说明了密码是什么。



Communicating with Authenticating HTTP Servers

This chapter describes how to interact with authenticating HTTP servers by taking advantage of the CFHTTPAuthentication API. It explains how to find matching authentication objects and credentials, apply them to an HTTP request, and store them for later use.

In general, if an HTTP server returns a 401 or 407 response following your HTTP request, it means that the server is authenticating and requires credentials. In the CFHTTPAuthentication API, each set of credentials is stored in a CFHTTPAuthentication object. Therefore, every different authenticating server and every different user connecting to that server requires a separate CFHTTPAuthentication object. To communicate with the server, you need to apply your CFHTTPAuthentication object to the HTTP request. These steps are explained in more detail next.

Handling Authentication

Adding support for authentication will allow your application to talk with authenticating HTTP servers (if the server returns a 401 or 407 response). Even though HTTP authentication is not a difficult concept, it is a complicated process to execute. The procedure is as follows:

  1. The client sends an HTTP request to the server.
  2. The server returns a challenge to the client.
  3. The client bundles the original request with credentials and sends them back to the server.
  4. A negotiation takes place between the client and server.
  5. When the server has authenticated the client, it sends back the response to the request.

Performing this procedure requires a number of steps. A diagram of the entire procedure can be seen in Figure 4-1 and Figure 4-2.

Figure 4-1 Handling authentication


Figure 4-2 Finding an authentication object


When an HTTP request returns a 401 or 407 response, the first step is for the client to find a valid CFHTTPAuthentication object. An authentication object contains credentials and other information that, when applied to an HTTP message request, verifies your identity with the server. If you've already authenticated once with the server, you will have a valid authentication object. However, in most cases, you will need to create this object from the response with the CFHTTPAuthenticationCreateFromResponse function. See Listing 4-1.

Note:All the sample code regarding authentication is adapted from the ImageClient application.

Listing 4-1 Creating an authentication object

if (!authentication) {
    CFHTTPMessageRef responseHeader =
        (CFHTTPMessageRef) CFReadStreamCopyProperty(
    // Get the authentication information from the response.
    authentication = CFHTTPAuthenticationCreateFromResponse(NULL, responseHeader);

If the new authentication object is valid, then you are done and can continue to the second step of Figure 4-1. If the authentication object is not valid, then throw away the authentication object and credentials and check to see if the credentials were bad. For more information about credentials, read "Security Credentials".

Bad credentials mean that the server did not accept the login information and it will continue to listen for new credentials. However, if the credentials were good but the server still rejected your request, then the server is refusing to speak with you, so you must give up. Assuming the credentials were bad, retry this entire process beginning with creating an authentication object until you get working credentials and a valid authentication object. In code, this procedure should look like the one in Listing 4-2.

Listing 4-2 Finding a valid authentication object

CFStreamError err;
if (!authentication) {
    // the newly created authentication object is bad, must return
} else if (!CFHTTPAuthenticationIsValid(authentication, &err)) {
    // destroy authentication and credentials
    if (credentials) {
        credentials = NULL;
    authentication = NULL;
    // check for bad credentials (to be treated separately)
    if (err.domain == kCFStreamErrorDomainHTTP &&
        (err.error == kCFStreamErrorHTTPAuthenticationBadUserName
        || err.error == kCFStreamErrorHTTPAuthenticationBadPassword))
    } else {

Now that you have a valid authentication object, continue following the flowchart in Figure 4-1. First, determine whether you need credentials. If you don't, then apply the authentication object to the HTTP request. The authentication object is applied to the HTTP request in Listing 4-4 (resumeWithCredentials).

Without storing credentials (as explained in Keeping Credentials in Memory and Keeping Credentials in a Persistent Store), the only way to obtain valid credentials is by prompting the user. Most of the time, a user name and password are needed for the credentials. By passing the authentication object to the CFHTTPAuthenticationRequiresUserNameAndPassword function you can see if a user name and password are necessary. If the credentials do need a user name and password, prompt the user for them and store them in the credentials dictionary. For an NTLM server, the credentials also require a domain. After you have the new credentials, you can apply the authentication object to the HTTP request using the resumeWithCredentials function from Listing 4-4. This whole process is shown in Listing 4-3.

Note: In code listings, when comments are preceded and succeeded by ellipses, it means that that action is outside the scope of this document, but does need to be implemented. This is different from normal comments which describe what action is taking place.

Listing 4-3 Finding credentials (if necessary) and applying them

// ...continued from Listing 4-2
else {
    if (credentials) {
    // are a user name & password needed?
    else if (CFHTTPAuthenticationRequiresUserNameAndPassword(authentication))
        CFStringRef realm = NULL;
        CFURLRef url = CFHTTPMessageCopyRequestURL(request);
         // check if you need an account domain so you can display it if necessary
        if (!CFHTTPAuthenticationRequiresAccountDomain(authentication)) {
            realm = CFHTTPAuthenticationCopyRealm(authentication);
        // ...prompt user for user name (user), password (pass)
        // and if necessary domain (domain) to give to the server...
        // Guarantee values
        if (!user) user = CFSTR("");
        if (!pass) pass = CFSTR("");
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationUsername, user);
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationPassword, pass);
        // Is an account domain needed? (used currently for NTLM only)
        if (CFHTTPAuthenticationRequiresAccountDomain(authentication)) {
            if (!domain) domain = CFSTR("");
                                 kCFHTTPAuthenticationAccountDomain, domain);
        if (realm) CFRelease(realm);
    else {

Listing 4-4 Applying the authentication object to a request

void resumeWithCredentials() {
    // Apply whatever credentials we've built up to the old request
    if (!CFHTTPMessageApplyCredentialDictionary(request, authentication,
                                                credentials, NULL)) {
    } else {
        // Now that we've updated our request, retry the load

Keeping Credentials in Memory

If you plan on communicating with an authenticating server often, it may be worth reusing credentials to avoid prompting the user for the server's user name and password multiple times. This section explains the changes that should be made to one-time use authentication code (such as in Handling Authentication) to store credentials in memory for reuse later.

To reuse credentials, there are three data structure changes you need to make to your code.

  1. Create a mutable array to hold all the authentication objects.
CFMutableArrayRef authArray;

instead of:

CFHTTPAuthenticationRef authentication;
  1. Create a mapping from authentication objects to credentials using a dictionary.
CFMutableDictionaryRef credentialsDict;

instead of:

CFMutableDictionaryRef credentials;
  1. Maintain these structures everywhere you used to modify the current authentication object and the current credentials.
CFDictionaryRemoveValue(credentialsDict, authentication);

instead of:


Now, after creating the HTTP request, look for a matching authentication object before each load. A simple, unoptimized method for finding the appropriate object can be seen in Listing 4-5.

Listing 4-5 Looking for a matching authentication object

CFHTTPAuthenticationRef findAuthenticationForRequest {
    int i, c = CFArrayGetCount(authArray);
    for (i = 0; i < c; i ++) {
        CFHTTPAuthenticationRef auth = (CFHTTPAuthenticationRef)
                CFArrayGetValueAtIndex(authArray, i);
        if (CFHTTPAuthenticationAppliesToRequest(auth, request)) {
            return auth;
    return NULL;

If the authentication array has a matching authentication object, then check the credentials store to see if the correct credentials are also available. Doing so prevents you from having to prompt the user for a user name and password again. Look for the credentials using the CFDictionaryGetValue function as shown in Listing 4-6.

Listing 4-6 Searching the credentials store

credentials = CFDictionaryGetValue(credentialsDict, authentication);

Then apply your matching authentication object and credentials to your original HTTP request and resend it.

Warning: Do not apply credentials to the HTTP request before receiving a server challenge. The server may have changed since the last time you authenticated and you could create a security risk.

With these changes, you application will be able to store authentication objects and credentials in memory for use later.

Keeping Credentials in a Persistent Store

Storing credentials in memory prevents a user from having to reenter a server's user name and password during that specific application launch. However, when the application quits, those credentials will be released. To avoid losing the credentials, save them in a persistent store so each server's credentials need to be generated only once. A keychain is the recommended place for storing credentials. Even though you can have multiple keychains, this document refers to the user's default keychain as the keychain. Using the keychain means that the authentication information that you store can also be used in other applications trying to access the same server, and vice versa.

Storing and retrieving credentials in the keychain requires two functions: one for finding the credentials dictionary for authentication and one for saving the credentials of the most recent request. These functions will be declared in this document as:

CFMutableDictionaryRef findCredentialsForAuthentication(
        CFHTTPAuthenticationRef auth);
void saveCredentialsForRequest(void);

The function findCredentialsForAuthentication first checks the credentials dictionary stored in memory to see whether the credentials are cached locally. See Listing 4-6 for how to implement this.

If the credentials are not cached in memory, then search the keychain. To search the keychain, use the function SecKeychainFindInternetPassword. This function requires a large number of parameters. The parameters, and a short description of how they are used with HTTP authentication credentials, are:

NULL to specify the user's default keychain list.
The length of serverName, usually strlen(serverName).
The server name parsed from the HTTP request.
The length of security domain, or 0 if there is no domain. In the sample code, realm ? strlen(realm) : 0 is passed to account for both situations.
The realm of the authentication object, obtained from the CFHTTPAuthenticationCopyRealm function.
The length of accountName. Since the accountName is NULL, this value is 0.
There is no account name when fetching the keychain entry, so this should be NULL.
The length of path, or 0 if there is no path. In the sample code, path ? strlen(path) : 0 is passed to account for both situations.
The path from the authentication object, obtained from the CFURLCopyPath function.
The port number, obtained from the function CFURLGetPortNumber.
A string representing the protocol type, such as HTTP or HTTPS. The protocol type is obtained by calling the CFURLCopyScheme function.
The authentication type, obtained from the function CFHTTPAuthenticationCopyMethod.
0, because no password is necessary when fetching a keychain entry.
NULL, because no password is necessary when fetching a keychain entry.
The keychain item reference object, SecKeychainItemRef, returned upon finding the correct keychain entry
When called properly, the code should look like that in Listing 4-7.

Listing 4-7 Searching the keychain

didFind =
                                    strlen(host), host,
                                    realm ? strlen(realm) : 0, realm,
                                    0, NULL,
                                    path ? strlen(path) : 0, path,
                                    0, NULL,

Assuming that SecKeychainFindInternetPassword returns successfully, create a keychain attribute list (SecKeychainAttributeList) containing a single keychain attribute (SecKeychainAttribute). The keychain attribute list will contain the user name and password. To load the keychain attribute list, call the function SecKeychainItemCopyContent and pass it the keychain item reference object (itemRef) that was returned by SecKeychainFindInternetPassword. This function will fill the keychain attribute with the account's user name, and a void ** as its password.

The user name and password can then be used to create a new set of credentials. Listing 4-8 shows this procedure.

Listing 4-8 Loading server credentials from the keychain

if (didFind == noErr) {
    SecKeychainAttribute     attr;
    SecKeychainAttributeList attrList;
    UInt32                   length;
    void                     *outData;
    // To set the account name attribute
    attr.tag = kSecAccountItemAttr;
    attr.length = 0; = NULL;
    attrList.count = 1;
    attrList.attr = &attr;
    if (SecKeychainItemCopyContent(itemRef, NULL, &attrList, &length, &outData)
        == noErr) {
        // is the account (username) and outdata is the password
        CFStringRef username =
                                    attr.length, kCFStringEncodingUTF8, false);
        CFStringRef password =
            CFStringCreateWithBytes(kCFAllocatorDefault, outData, length,
                                    kCFStringEncodingUTF8, false);
        SecKeychainItemFreeContent(&attrList, outData);
        // create credentials dictionary and fill it with the user name & password
        credentials =
            CFDictionaryCreateMutable(NULL, 0,
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationUsername,
        CFDictionarySetValue(credentials, kCFHTTPAuthenticationPassword,

Retrieving credentials from the keychain is only useful if you can store credentials in the keychain first. The steps are very similar to loading credentials. First, see if the credentials are already stored in the keychain. Call SecKeychainFindInternetPassword, but pass the user name for accountName and the length of accountName for accountNameLength.

If the entry exists, modify it to change the password. Set the data field of the keychain attribute to contain the user name, so that you modify the correct attribute. Then call the function SecKeychainItemModifyContent and pass the keychain item reference object (itemRef), the keychain attribute list, and the new password. By modifying the keychain entry rather than overwriting it, the keychain entry will be properly updated and any associated metadata will still be preserved. The entry should look like the one in Listing 4-9.

Listing 4-9 Modifying the keychain entry

// Set the attribute to the account name
attr.tag = kSecAccountItemAttr;
attr.length = strlen(username); = (void*)username;
// Modify the keychain entry
SecKeychainItemModifyContent(itemRef, &attrList, strlen(password),
                             (void *)password);

If the entry does not exist, then you will need to create it from scratch. The function SecKeychainAddInternetPassword accomplishes this task. Its parameters are the same as SecKeychainFindInternetPassword, but in contrast with the call to SecKeychainFindInternetPassword, you supply SecKeychainAddInternetPassword both a user name and a password. Release the keychain item reference object following a successful call to SecKeychainAddInternetPassword unless you need to use it for something else. See the function call in Listing 4-10.

Listing 4-10 Storing a new keychain entry

                               strlen(host), host,
                               realm ? strlen(realm) : 0, realm,
                               strlen(username), username,
                               path ? strlen(path) : 0, path,
                               strlen(password), password,

Authenticating Firewalls

Authenticating firewalls is very similar to authenticating servers except that every failed HTTP request must be checked for both proxy authentication and server authentication. This means that you need separate stores (both local and persistent) for proxy servers and origin servers. Thus, the procedure for a failed HTTP response will now be:

  • Determine whether the response's status code was 407 (a proxy challenge). If it is, find a matching authentication object and credentials by checking the local proxy store and the persistent proxy store. If neither of those has a matching object and credentials, then request the credentials from the user. Apply the authentication object to the HTTP request and try again.
  • Determine whether the response's status code was 401 (a server challenge). If it is, follow the same procedure as with a 407 response, but use the origin server stores.

There are also a few minor differences to enforce when using proxy servers. The first is that the arguments to the keychain calls come from the proxy host and port, rather than from the URL for an origin server. The second is that when asking the user for a user name and password, make sure the prompt clearly states what the password is for.

By following these instructions, your application should be able to work with authenticating firewalls.
