Httpclient HTTP-based authentication scheme

HttpClientHTTP-based authentication scheme

 

Introduction

 

HttpClient supports three different forms of HTTP Protocol Verification: Basic, Digest, and NTLM. These methods can be used to authenticate the same http server or proxy server.

 

Authentication Server

 

The HttpClient processing server authentication is almost transparent. The sender only needs to do one thing and provide a valid login certificate. This certificate is saved to the HttpState instance and can be set and obtained using the setCredentials (AuthScopeauthscope, Credentials cred) and getCredentials (AuthScope authscope) methods.

 

The built-in automatic authentication mechanism of HttpClient can be discarded by using the setDoAuthentication (boolean doAuthenticaiton) method in the HttpMethod class. This will only affect the method Instance.

 

Preemptive Authentication (Preemptive Authentication)

 

Use HttpClient to implement Preemptive authenticaiton. In this way, HttpClient will send basic authentication Response. In some cases, it will be sent before the server returns an unauthorized Response, thus reducing the connection overhead. You can use it like below

Client. getParams (). setAuthenticationPreemptive (true );

In this way, you must set the default certificate for the target server or proxy server. If the default certificate is not provided, the Preemptive Authentication method will be invalid.

Credentials defacreds = new UsernamePasswordCredentials ("username", "passowrd ");

Client. getState (). setCredentials (new AuthScope ("myhost", 80, AuthScope. ANY_REALM), defaultcreds );

 

Security aspects of server authentication (Security server verification)

 

When using the default certificate to develop an application, it may communicate with a secure web site or a common web site. When Preemtive authentication is activated or the certificate does not provide a specific authentication domain and host, HttpClient tries to use the default certificate and the target site for verification. If you want to avoid sending certificates to an untrusted site, try to narrow the certificate scope as much as possible: always specify the host.

 

Do not use AuthScope. ANY to set certificates in official products. In this way, all certificates are sent.

This setting method should only be used in the debugging stage.

// To be avoided unless in debug mode

Credentials defacreds = new UsernamePasswordCredentials ("username", "password ");

Client. getState (). setCredentials (AuthScope. ANY, defaultcreds );

 

Proxy Authentication)

 

Basic

 

Basic authentication is the most primitive and harmonious authentication solution. Unfortunately, this is also the most insecure because the user name and password it sends to the server are not encrypted. Basic authentication requires an instance of UsernamePasswordCredentials to implement, whether it is a specific domain or a default certificate.

 

Digest

 

Disgest authectication is added to the HTTP1.1 protocol. This scheme is not widely used like Basic authectication. Digest authentication is much safer than Basic authentication because it transfers encrypted user names and passwords.

 

Digest authentication requires an instance of UsernamePasswordCredentials.

 

NTLM

 

NTLM is the most complex authentication protocol supported by HttpClient. This is a patent agreement designed by Microsoft and has not published its standards. Earlier NTLM versions have poor security compared with Digest authentication due to design errors. However, this BUG was fixed in Windows NT 4 and is now considered safer than Digest authenticaiton.

Reprinted: http://blog.csdn.net/mgoann/article/details/4054747