HTTP Basic authentication, preemptive authentication introduction and HttpClient 4.1.1 instance

Source: Internet
Author: User
Tags base64

1.HTTP Basic Certification

In HTTP, Basic authentication is a way to allow a Web browser or other client program to provide credentials in the form of a user name and password upon request. Before sending, the username appends a colon and then the password is strung up. The resulting string is then encoded using the BASE64 algorithm. For example, the user name is Aladdin, the password is open sesame, the result of stitching is aladdin:open sesame, then use Base64 code, get qwxhzgrpbjpvcgvuihnlc2ftzq==. The BASE64 encoded string is sent out and decoded by the receiver, resulting in a string of user names and passwords delimited by a colon.

When you access a URL that requires HTTP Basic authentication, if you do not provide a username and password, the server will return 401, if you open the browser directly, the browser will prompt you to enter a username and password. You can try clicking on this URL to see the effect: Http://api.minicloud.com.cn/statuses/friends_timeline.xml. The user enters the user name and password, and the browser sends the requested packet with authentication. HTTP server after each receive request package, according to the protocol to obtain client additional user information (BASE64 encrypted username and password), unlock the request package, the user name and password to verify, if the user name and password is correct, according to the client request, return the data required by the client; Returns an error code or requests the client to provide a username and password. 1.1 Certification Process

1, the client makes a request such as Http://api.minicloud.com.cn/statuses/friends_timeline.xml.

Get/statuses/friends_timeline.xml http/1.1
Host:api.minicloud.com.cn
user-agent:mozilla/5.0 (Windows NT 5.1; rv:2.0.1) gecko/20100101 firefox/4.0.1
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8
accept-language:zh-cn,zh;q=0.5
accept-encoding:gzip, deflate
accept-charset:gb2312,utf-8;q=0.7, *;q=0.7
keep-alive:115
connection:keep-alive

2. The server received the request and found that the user was not logged in, responding as follows.

http/1.1 401 Unauthorized
Server:nginxDate:Wed, June 06:25:47 GMT Content-type:application/xml
; charse T=utf-8
transfer-encoding:chunked
connection:keep-alive
www-authenticate:basic
Vary: Accept-charset, Accept-encoding, Accept-language, Accept
accept-ranges:bytes

3, when a client (such as Ie,firefox) that conforms to the HTTP1.0 or 1.1 specification receives a 401 return value, a login window automatically pops up asking the user to enter a username and password.

4, the user entered the username and password, the user name and password encrypted in BASE64 encryption, and the ciphertext into the previous request information, then the client sent the first request information into the following:

Get/statuses/friends_timeline.xml http/1.1

Host:api.minicloud.com.cn

..... Connection:keep-alive

Authorization:basic d2pqojeymzq1ng==

Note: After basic, the user name and password are encrypted.

5, the server received the above request information, the authorization field after the user information out, decryption, the decrypted user name and password and user database to compare the verification, such as the user name and password is correct, the server according to the request, the requested resources sent to the client:

http/1.0 OK
content-type:text/html
content-length:xxxx




If the username and password are incorrect, go back to step 2nd and resend the user authentication request to the client.

6, in the future of the entire communication session, the client will be included in the request packet encrypted user information. 2. Preemptive Certification

Preemptive certification is directly from the 4th step above, in the request header to add the user name and password information. Request information directly from the server. The previous three-step operation is missing. implementation of 3.HttpClient

HttpClient does not support preemptive authentication out of the box because the misuse or improper use of preemptive authentication can cause serious quality problems, such as sending a user's credentials to an unauthorized third party in clear text. Therefore, users should weigh the potential advantages of preemptive authentication against security risks in their specific application environments.

Nevertheless, we can still configure the preemptive authentication of httpclient through the pre-assembly authentication data cache.

 httphost targethost = new Httphost ("api.t.sohu.com", "n", "http");

Defaulthttpclient httpclient = new Defaulthttpclient (); Httpclient.getcredentialsprovider (). SetCredentials (New Authscope (Targethost.gethostname (), TargetHost.getPort ())

, New Usernamepasswordcredentials ("username", "password"));
Create Authcache instance Authcache authcache = new Basicauthcache ();
Generate BASIC Scheme object and add it to the local auth cache basicscheme BasicAuth = new Basicscheme ();

Authcache.put (Targethost, BasicAuth);
Add Authcache to the execution context basichttpcontext Localcontext = new Basichttpcontext ();


Localcontext.setattribute (Clientcontext.auth_cache, Authcache);
 String url = "Http://api.t.sohu.com/statuses/update.xml";


HttpPost HttpPost = new  httppost (URL);


Httppost.setheader ("Content-type", "application/x-www-form-urlencoded");
for (int i = 0; i < 3; i++) {HttpResponse response = Httpclient.execute (Targethost, HttpPost, Localcontext); Httpentity entity = Response.getentity ();
Entityutils.consume (entity); }

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.