Explore new HTTP features of Java SE 6 (NTLM)

【Abstract] In Java SE 6, there are many new practical features around the HTTP protocol: NTLM authentication provides a safer authentication mechanism on the window platform; JDK provides a lightweight HTTP server, a more comprehensive HTTP cookie management function, a more practical networkinterface, and international support for DNS domain names.

Overview

Since its birth, Java has paid great attention to network programming applications. With the rapid development of Internet applications, Java basic libraries are constantly strengthening and expanding network-related APIs. In Java SE 6, there are many new practical features around the HTTP protocol: NTLM authentication provides a safer authentication mechanism on the window platform; JDK provides a lightweight HTTP server, a more comprehensive HTTP cookie management function, a more practical networkinterface, and international support for DNS domain names.

NTLM Authentication

Inevitably, many resources in the network are protected by security domains. To access these resources, you must authenticate the user's identity. The following is a simple example:

The following is a reference clip: Import java.net. *; import Java. io. *; public class test {public static void main (string [] ARGs) throws exception {URL url = new URL ("http://PROTECTED.com"); urlconnection connection = URL. openconnection (); inputstream in = connection. getinputstream (); byte [] DATA = new byte [1024]; while (in. read (data)> 0) {// do something for data} In. close ();}}

When JavaProgramFilenotfoundexception occurs when you try to read information from an authenticated website, that is, when you read data from the inputstream that is linked to the urlconnection of the http://Protected.com. Although I believe that the exception type is far from the cause of the actual error, this error is indeed caused by the failure of Network Authentication.

There are two ways to solve this problem:

First, set the "authentication" attribute for urlconnection:

The following is a reference clip: String credit = username + ":" + password; string encoding = new sun. misc. base64encoder (). encode (credit. getbytes (); connection. setrequestproperty ("Authorization", "Basic" + encoding );

It is assumed that the http://PROTECTED.COM uses the basic (basic) authentication type.

From the above example, we can see that setting the authentication attribute is still complicated: the user must understand the details of the authentication method before giving the user name/password in a certain standard, then it is encoded in a specific encoding method. Does the Java class library provide a tool that encapsulates authentication details and only requires a user name/password?

This is another method we will introduce, using the java.net. Authentication class.

Whenever a website requires authentication, httpurlconnection will ask the authentication class for the user name and password.

The authentication class does not know which username/password the user should use. How can the user provide his/her username and password to the authentication class?

Provides a class inherited from authentication, implements the getpasswordauthentication method, and provides the user name and password in passwordauthentication:

The following is a reference clip: Class defaultauthenticator extends authenticator { Public passwordauthentication getpasswordauthentication (){ Return new passwordauthentication ("user", "password". tochararray ()); } }

Then, set it to the default (global) authentication:

The following is a reference clip: Authenticator. setdefault (New defaultauthenticator ());

What should I do if different websites require different user names and passwords?

Authentication provides sufficient information about the authentication initiator, so that the inheritance class can judge based on the information. Different authentication information is provided in the getpasswordauthentication method:

The following is a reference clip: Getrequestinghost () Getrequestingport () Getrequestingprompt () Getrequestingprotocol () Getrequestingscheme () Getrequestingurl () Getrequestingsite () Getrequestortype ()

Another important question about authentication is the authentication type. Different authentication types require different authentication protocols. As of Java SE 6.0, authentication supports the following authentication methods:

The following is a reference clip: HTTP Basic Authentication HTTP digest Authentication NTLM Http spnego negotiate Kerberos NTLM

NTLM is short for nt lan Manager. The early SMB protocol clearly transmitted passwords over the network, which is very insecure. Microsoft then proposed the WindowsNT challenge/response verification mechanism, that is, NTLM.

The NTLM protocol is as follows:

1. The client first encrypts the user's password into a password hash;

2. The client sends a user name to the server, which is directly transmitted in plaintext;

3. The server generates a 16-bit random number and sends it to the client as a Challenge (Challenge );

4. The client uses the hash code obtained in step 1 to encrypt the challenge and then returns the challenge to the server;

5. the server sends the username, challenge to the client, and response returned by the client to the domain controller;

6. the domain controller uses this user name to find the user's password hash in the SAM password management library, and then uses this password hash to encrypt challenge;

7. the domain controller compares two encrypted challenge. If the same, the authentication is successful;

In versions earlier than Java 6, NTLM authentication is not supported. If you want to use httpconnection to connect to a website protected by Windows domain, you cannot pass NTLM authentication. Another method is to implement the entire Protocol process using underlying units such as socket, which is undoubtedly very complicated.

Finally, Java 6's authentication class provides NTLM support. It is very convenient to use, just like other authentication protocols:

The following is a reference clip: Class defaultauthenticator extends authenticator {Private Static string username = "username"; Private Static string domain = "Domain"; Private Static string Password = "password"; Public passwordauthentication getpasswordauthentication () {string usernamewithdomain = domain + "/" + username; Return (New passwordauthentication (usernamewithdomain, password. tochararray ()));}}

Here, according to the naming rules of Windows domain accounts, the account name is domain name + "/" + domain username. If you do not want to add a domain name each time you generate passwordauthentication, you can set a system variable name "HTTP. Auth. NTLM. domain".

Authentication negotiation is another feature of authentication in Java 6. The current server generally provides several authentication protocols at the same time. Based on the different capabilities of the client, the server negotiates an authentication method. For example, the IIS server provides both NTLM with Kerberos and NTLM authentication methods. When the client does not support NTLM with Kerberos, NTLM authentication is performed.

Currently, the default order of authentication negotiation is:

The following is a reference clip: GSS/SPNEGO-> digest-> NTLM-> basic

So where is the Kerberos location?

In fact, GSS/SPNEGO uses JAAS as the cornerstone, while the latter actually uses Kerberos.

Domain Name Internationalization

In some recent RFC documents, it is required that the DNS server can parse non-ASCII encoding characters. There isAlgorithmIn this case, Unicode and ASCII code can be converted to international domain names. Java.net. IDN is a new class for international domain name conversion. IDN is short for "international domain name" (Internationalized Domain Names ). This class is very simple, mainly including four static functions for character conversion.

Conclusion

Java SE 6 has many new http-related features, making the Java SE platform more powerful support for network programming, especially HTTP-based Internet programming.