HTTP and HTTPS explanations

http and HTTPS explanations

Transferred from: http://www.cnblogs.com/ok-lanyan/archive/2012/07/14/2591204.html

HTTP is an object-oriented protocol belonging to the application layer, which is suitable for distributed hypermedia information System because of its simple and fast way. It was proposed in 1990, after several years of use and development, has been continuously improved and expanded. Currently used in the WWW is the sixth edition of Http/1.0, http/1.1 standardization work is in progress, and Http-ng (Next Generation of HTTP) has been proposed.
The main features of the HTTP protocol can be summarized as follows:
1. Support client/server mode.
2. Simple and fast: When a customer requests a service from the server, it simply transmits the request method and path. The request method commonly has, POST. Each method specifies a different type of contact between the customer and the server. Because the HTTP protocol is simple, the HTTP server's program size is small, so the communication speed is fast.
3. Flexible: HTTP allows the transfer of any type of data object. The type being transmitted is marked by Content-type.
4. No connection: The meaning of no connection is to limit the processing of only one request per connection. When the server finishes processing the customer's request and receives the customer's answer, the connection is disconnected. In this way, the transmission time can be saved.
5. Stateless: The HTTP protocol is a stateless protocol. Stateless means that the protocol has no memory capacity for transactional processing. A lack of state means that if the previous information is required for subsequent processing, it must be re-routed, which may cause the amount of data to be transferred per connection to increase. On the other hand, it responds faster when the server does not need the previous information.

First, HTTP

1.1 HTTP protocol Detailed URL Chapter

HTTP (Hypertext Transfer Protocol) is a request-and-response mode-based, stateless, application-level protocol, often based on TCP connection, HTTP1.1 version of a continuous connection mechanism, the vast majority of web development, is built on the HTTP protocol on the Web application.

The HTTP URL (url is a special type of URI that contains enough information to find a resource) in the following format:

http://host[":" Port][abs_path]
HTTP means to locate network resources through the HTTP protocol, the host represents a legitimate Internet host domain name or IP address; port specifies a port number, or null specifies the URI of the requested resource using the default port 80;abs_path, if no abs_ is given in the URL Path, it must be given as a "/" when it is a request URI, which is usually done automatically by the working browser.
eg
1, Input: www.guet.edu.cn browser automatically converted to: http://www.guet.edu.cn/
2, http:192.168.0.116:8080/index.jsp

1.2 HTTP protocol detailed request chapter

The HTTP request consists of three parts: the request line, the message header, the request body

1. The request line begins with a method symbol, separated by a space, followed by the requested URI and version of the Protocol, in the following format:

Method Request-uri http-version CRLF
Where method means the request, Request-uri is a Uniform Resource identifier, http-version represents the HTTP protocol version of the request, CRLF indicates carriage return and newline (except for the CRLF at the end, a separate CR or LF character is not allowed).

There are several ways to request a method (all uppercase), and each method is interpreted as follows:
Get request gets the resource identified by the Request-uri
Post appends new data to the resource identified by Request-uri
HEAD request Gets the response message header for the resource identified by Request-uri
PUT Request server stores a resource and uses Request-uri as its identity
Delete Request server deletes the resource identified by the Request-uri
TRACE requests the server to echo received request information, primarily for testing or diagnostics
CONNECT reserved for future use
Options request the performance of the query server, or query for resource-related choices and requirements
Application Examples:
Get method: When you access a Web page by entering a URL in the address bar of the browser, the browser uses the Get method to get resources to the server, eg:get/form.html http/1.1 (CRLF)

The Post method requires the requested server to accept the data appended to the request and is often used to submit the form.
eg:post/reg.jsp http/(CRLF)
Accept:image/gif,image/x-xbit,... (CRLF)
...
HOST:www.guet.edu.cn (CRLF)
Content-length:22 (CRLF)
Connection:keep-alive (CRLF)
Cache-control:no-cache (CRLF)
(CRLF)//The CRLF indicates that the message header has ended, preceded by a message header
user=jeffrey&pwd=1234//The following line is the submitted data

The head method is almost the same as the Get method, and for the response part of the head request, the information contained in the HTTP header is the same as the information obtained through the GET request. Using this method, you can obtain information about the resources identified by Request-uri without transmitting the entire resource content. This method is commonly used to test the validity of hyperlinks, whether they can be accessed, and whether they have been updated recently.
2. After the request header is described
3. Request body (slightly)

1.3 HTTP protocol Detailed response Chapter

After receiving and interpreting the request message, the server returns an HTTP response message.

The HTTP response is also made up of three parts: status line, message header, response body
1, the status line format is as follows:
Http-version Status-code reason-phrase CRLF
Where http-version represents the version of the server HTTP protocol, Status-code represents the response status code sent back by the server, and Reason-phrase represents a textual description of the status code.
The status code consists of three digits, the first number defines the category of the response, and there are five possible values:
1XX: Indication information--Indicates that the request has been received and continues processing
2XX: Success-Indicates that the request has been successfully received, understood, accepted
3XX: Redirect--further action is required to complete the request
4XX: Client Error--Request syntax error or request not implemented
5XX: Server-side error-the server failed to implement a legitimate request
Common status codes, status descriptions, descriptions:
$ OK//client request succeeded
Bad Request//client requests have syntax errors and cannot be understood by the server
401 Unauthorized//request unauthorized, this status code must be used with the Www-authenticate header field
403 Forbidden//server receives request, but refuses to provide service
404 Not Found//request resource not present, eg: Wrong URL entered
Internal Server error//server unexpected errors
503 Server Unavailable//server is currently unable to process client requests and may return to normal after some time
eg:http/1.1 OK (CRLF)

2. The response header is described later

3, the response body is the contents of the resources returned by the server

1.4 HTTP protocol Detailed message header chapter

HTTP messages consist of client-to-server requests and server-to-client responses. Both the request message and the response message are from the start line (for the request message, the start line is the request line, for the response message, the start line is the status line), the message header (optional), the empty line (only the CRLF line), and the message body (optional) is composed.

The HTTP message header includes the normal header, the request header, the response header, and the entity header.
Each header field consists of a name + ":" + a Space + value, and the name of the message header field is case-insensitive.

1. Normal header
In the normal header, a small number of header fields are used for all request and response messages, but not for the transferred entity, only for the transmitted messages.
eg
The Cache-control is used to specify the cache instruction, the cache instruction is unidirectional (the cache instruction appearing in the response may not appear in the request), and is independent (the cache instruction of one message does not affect the caching mechanism of another message processing), and HTTP1.0 uses a similar header domain of pragma.
Cache directives at request include: No-cache (used to indicate that the request or response message cannot be cached), No-store, Max-age, Max-stale, Min-fresh, only-if-cached;
Cache directives for response include: public, Private, No-cache, No-store, No-transform, Must-revalidate, Proxy-revalidate, Max-age, S-maxage.
Eg: in order to instruct IE browser (client) not to cache the page, the server-side JSP program can be written as follows: Response.sehheader ("Cache-control", "No-cache");
Response.setheader ("Pragma", "No-cache"), function equivalent to the above code, usually both//shared
This code will set the normal header field in the Sent response message: Cache-control:no-cache

Date Normal header field indicates the day and time the message was generated

The connection normal header field allows the option to send a specified connection. For example, specify that the connection is contiguous, or specify a "close" option to notify the server to close the connection after the response is complete

The

2, request header
Request header allows the client to pass additional information about the request to the server side, as well as the client itself. The
Common request header
Accept Request header field is used to specify which types of information the client accepts. Eg:accept:image/gif, indicating that the client wants to accept a resource in GIF image format; accept:text/html, indicating that the client wants to accept HTML text. The
Accept-charset request header field is used to specify the character set accepted by the client. eg:accept-charset:iso-8859-1,gb2312. If the field is not set in the request message, the default is to accept any character set. , the
accept-encoding request header field is similar to accept, but it is used to specify acceptable content encoding. Eg:accept-encoding:gzip.deflate. If the domain server is not set in the request message, the client is assumed to be acceptable for various content encodings. The
Accept-language request header field is similar to Accept, but it is used to specify a natural language. EG:ACCEPT-LANGUAGE:ZH-CN. If the header field is not set in the request message, the server assumes that the client is acceptable for each language. The
authorization request header domain is primarily used to prove that a client has permission to view a resource. When a browser accesses a page, if a response code of 401 (unauthorized) is received from the server, a request containing the authorization request header domain can be sent, requiring the server to validate it. The
host request header domain is used primarily to specify the Internet host and port number of the requested resource, which is usually extracted from the HTTP URL, which is required when sending the request, eg: we enter in the browser: http://www.guet.edu.cn/ Index.html

In the request message sent by the browser, the Host request header field is included, as follows: Host:www.guet.edu.cn
Use the default port number 80 here, and if you specify a port number, it becomes: Host:www.guet.edu.cn: Specify the port number
User-agent we go online to the forum, often will see some welcome information, which lists the name and version of your operating system, the name and version of the browser you are using, which often makes a lot of people feel very magical, in fact, The server application obtains this information from the User-agent request header domain. The User-agent request header domain allows the client to tell the server about its operating system, browser, and other properties. However, this header field is not required, and if we write a browser ourselves without using the User-agent request header domain, then the server side will not be able to know our information.
Request Header Example:
get/form.html http/1.1 (CRLF)
accept:image/gif,image/x-xbitmap,image/jpeg,application/ x-shockwave-flash,application/vnd.ms-excel,application/vnd.ms-powerpoint,application/msword,*/* (CRLF)
ACCEPT-LANGUAGE:ZH-CN (CRLF)
Accept-encoding:gzip,deflate (CRLF)
if-modified-since:wed,05 Jan 2007 11:21:25 GMT (CRLF)
if-none-match:w/"80b1a4c018f3c41:8317" (CRLF)
user-agent:mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0) (CRLF)
Host:www.guet.edu.cn (CRLF)
Connection:keep-alive (CRLF)
(CRLF)

The

3, response Header
Response header allows the server to pass additional response information that cannot be placed in the status line, as well as information about the server and the next access to the resources identified by Request-uri. The
Common response Header
Location response header field is used to redirect the recipient to a new position. Location response header fields are commonly used when changing domain names. The
Server response header field contains the software information that the server uses to process the request. Corresponds to the User-agent request header field. The following is an example of the Server response header field: The server:apache-coyote/1.1
www-authenticate response Header field must be contained in a 401 (unauthorized) response message when the client receives a 401 response message. When the authorization header domain is sent to the request server for authentication, the service-side response header contains the header domain.
Eg:www-authenticate:basic realm= "Basic Auth test!"  //You can see that the server is using a Basic authentication mechanism for the requested resource.

4. Entity Header
Both request and response messages can send an entity. An entity consists of an Entity header field and an entity body, but it does not mean that the entity header fields and entity bodies are sent together, and only the entity header fields can be sent. The entity header defines the meta-information about the entity body (eg: there is no entity body) and the resource identified by the request.
Common entity Headers
The Content-encoding Entity header field is used as a modifier for the media type, and its value indicates the encoding of additional content that has already been applied to the entity body, so the corresponding decoding mechanism must be used to obtain the media type referenced in the Content-type header domain. Content-encoding This method of compressing the document, Eg:content-encoding:gzip
The Content-language Entity header field describes the natural language used by the resource. The domain is not set and the entity content is considered to be available to all languages for reading
Stakeholders Eg:content-language:da
The Content-length Entity header field is used to indicate the length of the entity body, expressed as a decimal number stored in bytes.
The Content-type Entity header field term indicates the media type that is sent to the recipient's entity body. eg
Content-type:text/html;charset=iso-8859-1
content-type:text/html;charset=gb2312
The Last-modified Entity header field is used to indicate the last modification date and time of the resource.
The Expires Entity header field gives the date and time when the response expires. In order for a proxy server or browser to update the cache after a period of time (once again accessing pages that have been visited, loading directly from the cache, shortening response times, and reducing server load), we can use the Expires entity header domain to specify when the page expires. eg:expires:thu,15 SEP 2006 16:23:12 GMT
The HTTP1.1 client and cache must treat other illegal date formats (including 0) as expired. Eg: in order to let the browser do not cache the page, we can also take advantage of the Expires entity header domain, set as 0,jsp in the program as follows: Response.setdateheader ("Expires", "0");

Tool class for Httputil.java

public class Httputil {public static string HttpGet (String httpurl) {string result = "";        Defaulthttpclient httpclient = new Defaulthttpclient ();//Create HTTP client httpget HttpGet = new HttpGet (Httpurl);        HttpResponse response = null; Httpparams params = Httpclient.getparams ();        Compute network Timeout with httpconnectionparams.setconnectiontimeout (params, 15 * 1000);                Httpconnectionparams.setsotimeout (Params, 20 * 1000);            try {response = Httpclient.execute (HttpGet);            httpentity entity = response.getentity ();//Get HTTP Content response.getstatusline (). Getstatuscode ();//Get the Status return value of HTTP result = Entityutils.tostring (response.getentity ());//Gets a specific return value, typically an XML file Entity.consumecontent ();// If entity is not empty, then free memory space Httpclient.getcookiestore ();//Get Cookis Httpclient.getconnectionmanager (). Shutdo WN ();//close HTTP client} catch (Clientprotocolexception e) {e.printstacktrace ();       } catch (IOException e) {e.printstacktrace ();    } return result;        public static string HttpPost (string httpurl, String data) {string result = "";        Defaulthttpclient httpclient = new Defaulthttpclient ();        HttpPost HttpPost = new HttpPost (Httpurl);                Httpclient.setcookiestore (Datadefine.mcookiestore); Httpparams params = Httpclient.getparams ();        Compute network Timeout with httpconnectionparams.setconnectiontimeout (params, 15 * 1000);        Httpconnectionparams.setsotimeout (Params, 20 * 1000);        Httppost.setheader ("Content-type", "Text/xml");                Stringentity httppostentity;            try {httppostentity = new stringentity (data, "UTF-8");            Httppost.setentity (httppostentity);            HttpResponse response = Httpclient.execute (HttpPost);            httpentity entity = response.getentity ();//Get HTTP Content response.getstatusline (). Getstatuscode ();//Get the Status return value of HTTP ResUlt = entityutils.tostring (response.getentity ());//Gets a specific return value, typically an XML file Entity.consumecontent ();//If entity is not empty, release Memory space Httpclient.getcookiestore ();//Get Cookis Httpclient.getconnectionmanager (). shutdown ();//Close HTTP Guest        User-side} catch (Exception e) {e.printstacktrace ();        }//Base64 is a coded string that can be understood as a string//stringentity httppostentity = new Stringentity ("UTF-8");    return result; }}

public class Httputil {public static string HttpGet (String httpurl) {string result = "";        Defaulthttpclient httpclient = new Defaulthttpclient ();//Create HTTP client httpget HttpGet = new HttpGet (Httpurl);        HttpResponse response = null; Httpparams params = Httpclient.getparams ();        Compute network Timeout with httpconnectionparams.setconnectiontimeout (params, 15 * 1000);                Httpconnectionparams.setsotimeout (Params, 20 * 1000);            try {response = Httpclient.execute (HttpGet);            httpentity entity = response.getentity ();//Get HTTP Content response.getstatusline (). Getstatuscode ();//Get the Status return value of HTTP result = Entityutils.tostring (response.getentity ());//Gets a specific return value, typically an XML file Entity.consumecontent ();// If entity is not empty, then free memory space Httpclient.getcookiestore ();//Get Cookis Httpclient.getconnectionmanager (). Shutdo WN ();//close HTTP client} catch (Clientprotocolexception e) {e.printstacktrace ();       } catch (IOException e) {e.printstacktrace ();    } return result;        public static string HttpPost (string httpurl, String data) {string result = "";        Defaulthttpclient httpclient = new Defaulthttpclient ();        HttpPost HttpPost = new HttpPost (Httpurl);                Httpclient.setcookiestore (Datadefine.mcookiestore); Httpparams params = Httpclient.getparams ();        Compute network Timeout with httpconnectionparams.setconnectiontimeout (params, 15 * 1000);        Httpconnectionparams.setsotimeout (Params, 20 * 1000);        Httppost.setheader ("Content-type", "Text/xml");                Stringentity httppostentity;            try {httppostentity = new stringentity (data, "UTF-8");            Httppost.setentity (httppostentity);            HttpResponse response = Httpclient.execute (HttpPost);            httpentity entity = response.getentity ();//Get HTTP Content response.getstatusline (). Getstatuscode ();//Get the Status return value of HTTP ResUlt = entityutils.tostring (response.getentity ());//Gets a specific return value, typically an XML file Entity.consumecontent ();//If entity is not empty, release Memory space Httpclient.getcookiestore ();//Get Cookis Httpclient.getconnectionmanager (). shutdown ();//Close HTTP Guest        User-side} catch (Exception e) {e.printstacktrace ();        }//Base64 is a coded string that can be understood as a string//stringentity httppostentity = new Stringentity ("UTF-8");    return result; }}

Second, HTTPS

HTTPS (hypertext Transfer Protocol over Secure Socket Layer, SSL-based HTTP protocol) uses the HTTP protocol, but HTTPS uses a different default port than the HTTP protocol and an encryption, Authentication layer (between HTTP and TCP). The initial development of this Protocol, conducted by Netscape, provides an authentication and encryption method of communication, which is now widely used for security-sensitive communications on the Internet.

The client has several steps to communicate with the Web server using HTTPS.

(1) The client uses HTTPS URL to access the Web server and requires an SSL connection with the Web server.

(2) When a Web server receives a client request, it sends a copy of the Web site's certificate information (the certificate contains the public key) to the client.

(3) The client's browser and the Web server begin to negotiate the security level of the SSL connection, which is the level of information encryption.

(4) The client's browser establishes the session key according to the security level agreed by both parties, then encrypts the session key using the public key of the website and transmits it to the website.

(5) The Web server decrypts the session key using its own private key.

(6) The Web server uses the session key to encrypt communication with the client.

public class Httpsutil {static trustmanager[] Xtmarray = new mytmarray[] {new Mytmarray ()};//Create trust rule list Private fi    nal static int connent_timeout = 15000;    Private final static int read_timeout = 15000; static Hostnameverifier do_not_verify = new Hostnameverifier () {public boolean VERIFY (String hostname, sslsession        session) {return true;    }    }; /** * Trust all hosts-do not check for any certificates Create a trust manager that does not validate * certificate chains, Android uses X509 certificate information mechanism , Install the all-trusting Trust * Manager */private static void Trustallhosts () {try {SSLC            Ontext sc = sslcontext.getinstance ("TLS");            Sc.init (NULL, Xtmarray, New Java.security.SecureRandom ());            Httpsurlconnection. Setdefaultsslsocketfactory (Sc.getsocketfactory ());        No hostname confirmation, Httpsurlconnection.setdefaulthostnameverifier (do_not_verify) for all hosts; } catch (Exception e) {e.printsTacktrace (); }}///**//* HTTPS get method, return value is HTTPS request, data returned by server String type, data is parsed by XML//* *//public static string Httpsget (String Httpsurl)    {//Return httpspost (Httpsurl, NULL); }/** * HTTPS post method, return value is HTTPS request, data returned by the server is String type, data is parsed by XML * */public static string Httpspost (Str        ing httpsurl, String data) {string result = NULL;        HttpURLConnection http = null;        URL url;            try {url = new URL (httpsurl);                Determines whether an HTTP request or HTTPS request if (Url.getprotocol (). toLowerCase (). Equals ("https")) {trustallhosts ();                http = (httpsurlconnection) url.openconnection (); ((httpsurlconnection) HTTP). Sethostnameverifier (do_not_verify);//Do not host name acknowledgement} else {http = (http            URLConnection) url.openconnection ();            } http.setconnecttimeout (connent_timeout);//Set timeout time http.setreadtimeout (read_timeout); if (data = = NULL) {Http.setrequestmethod ("GET");//Set Request type Http.setdoinput (true);                Http.setrequestproperty ("Content-type", "Text/xml");            if (Appsession.mcookiestore! = null) http.setrequestproperty ("Cookie", Appsession.mcookiestore);                } else {Http.setrequestmethod ("post");//Set Request type is POST http.setdoinput (true);                Http.setdooutput (TRUE);                Http.setrequestproperty ("Content-type", "Text/xml");                    if (Appsession.mcookiestore! = null && AppSession.mCookieStore.trim (). Length () > 0)                Http.setrequestproperty ("Cookie", Appsession.mcookiestore);                DataOutputStream out = new DataOutputStream (Http.getoutputstream ());                Out.writebytes (data);                Out.flush ();            Out.close ();       }//Set HTTP return status (OK) or 403     Appsession.httpsresponsecode = Http.getresponsecode ();            BufferedReader in = null;                if (Appsession.httpsresponsecode = =) {GetCookie (HTTP);            in = new BufferedReader (New InputStreamReader (Http.getinputstream ()));            } else in = new BufferedReader (New InputStreamReader (Http.geterrorstream ()));            String temp = In.readline ();                while (temp! = null) {if (result! = NULL) result + = temp;                else result = temp;            temp = In.readline ();            } in.close ();        Http.disconnect ();        } catch (Exception e) {e.printstacktrace ();    } return result;  }/** * Get cookie * */private static void GetCookie (HttpURLConnection http) {String Cookieval =        Null        String key = null; Appsession.mcookiesTore = ""; for (int i = 1; (Key = Http.getheaderfieldkey (i))! = NULL;                i++) {if (Key.equalsignorecase ("Set-cookie")) {Cookieval = Http.getheaderfield (i);                Cookieval = cookieval.substring (0, Cookieval.indexof (";"));            Appsession.mcookiestore = Appsession.mcookiestore + Cookieval + ";"; }        }    }}

Detailed http and HTTPS