HttpClient based on HTTP protocol authentication scheme

Brief introduction

HttpClient supports three different forms of HTTP protocol validation: Basic,digest and NTLM. These can resolve authentication between the HTTP server and the proxy server.

Authentication Server

HttpClient processing server Authentication is almost transparent, and the sender only needs to do one thing and provide a legitimate login certificate. This certificate is saved to the Httpstate instance and can be called Method SetCredentials (Authscopeauthscope, Credentials cred) and getcredentials (Authscope authscope ) method to set and get.

HttpClient's built-in automatic authentication mechanism can be discarded by the Setdoauthentication (Boolean Doauthenticaiton) method in the HttpMethod class. Doing so will only affect the instance of method.

Preemptive authentication (first authentication)

Using httpclient can realize preemptive Authenticaiton. This way httpclient sends the Basic authentication response, in some cases, before the server returns an unauthorized response, which reduces the overhead of the connection. You can use it like this

Client.getparams (). Setauthenticationpreemptive (True);

This approach also requires that the default certificate must be set for the target server or proxy server. Failure to provide a default certificate will invalidate the preemptive authentication (preemptive authentication) method.

Credentials defaultcreds = new Usernamepasswordcredentials ("username", "passowrd");

Client.getstate (). SetCredentials (New Authscope ("Myhost", Authscope.any_realm), defaultcreds);

Security aspects of server Authentication (Secure Server Authentication)

When you develop an app with a default certificate, you may communicate with a secure Web site or a regular web site. When preemtive authentication is activated or the certificate does not give an explicit authentication domain and host, HttpClient attempts to authenticate with the target site using the default certificate. If you want to avoid sending certificates to a untrusted site as narrow as possible to the scope of the certificate: always specify the host.

It is forbidden to use the Authscope.any authentication domain to set up certificates in the official product. Doing so will send all the certificates.

This setting should only be used in the debugging phase.

To is avoided unless in debug mode

Credentials defaultcreds = new Usernamepasswordcredentials ("username", "password");

Client.getstate (). SetCredentials (Authscope.any, defaultcreds);

Proxy authentication (agent authentication)

Basic

Basic authentication is one of the most original and harmonious authentication schemes. Unfortunately, this is also the least secure because the user name and password that it sends to the server are not encrypted. Basic authentication requires an instance of Usernamepasswordcredentials to be implemented, whether it is a specific domain or a default certificate.

Digest

Disgest Authectication is added to the HTTP1.1 protocol and is not widely used as basic authectication. Digest authentication is significantly more secure than the Basic authentication scheme because it transmits encrypted user names and passwords.

Digest authentication requires an instance of Usernamepasswordcredentials.

Ntlm

NTLM is one of the most complex authentication protocols supported by HttpClient. This is a patent agreement, designed by Microsoft, and does not expose its standards. Earlier versions of NTLM caused security to be less digest authentication due to design errors, but this bug was fixed in Windows NT 4 and now considers security to be safer than digest Authenticaiton.

Reprint: http://blog.csdn.net/mgoann/article/details/4054747

Article source: HttpClient based on HTTP protocol authentication scheme

HttpClient based on HTTP protocol authentication scheme