Implementation of Http Digest authentication on Android platform

Subject:

To write an Android application to access a data service system based on HTTP services, in order to improve security, the data Service system uses the HTTP Digest authentication system, the reason is that, compared with the Basic authentication method, Digest authentication can guarantee authentication information (username and password) Transport security and is simpler and easier to use than SSL. When you use browser access, you are prompted with a username and Password dialog box, but if it is a program access, you need to program the authentication information during the procedure access.

Requirements:

--The user name and password can be set in the program

--web-based access to digest authentication and HTTP Data Services (JSON format)

--Use the Android base library without using other extensions (based on compatibility considerations)

--Support Android2.2 above system

--Technical realization is simple and clear

Realize:

There are some problems with some of the solutions available on the network, if you need to use a Third-party class library, create a authenticator, manually set request parameters and so on, are more troublesome, and many problems, after groping, I realized in the program based on the Android standard library certification process, the realization of ideas, procedures and sample code as follows:

The basic logic is:

---Use the httpclient (Defaulthttpclient) class to connect to the server and get the data

Defualthttpclient class: Creating a Client Object

Excuete (HttpGet) method: Performs a connection and gets, the argument is a HttpGet object

HttpGet class: Creating HttpGet objects based on URLs

HttpResponse class: The return value of Execute

Getentiry (). GetContent () method: fetching data stream

---The client access requires a authentication method for the resource that needs to be authenticated, you need to set up a certification provider

Client Setcredentialsprovider (bcp) method: Setting up a certification provider

Basiccredentialsprovider class: Creating a Certification Provider instance

SetCredentials method: Set Authscope and Usernamepasswordcredentials classes

Authscope class: Authentication scope, host-based, port and domain building

Usernamepasswordcredentials: A certificate based on user name and password, built based on user name and password

The implementation code is as follows:

1. Gets and sets the URL address, a string variable, a URL object

String urlstr = "Http://

URL url= new URL (urlstr);

2. Create a password certificate, (Usernamepasswordcredentials Class)

String username= "foo";

String password= "Bar";

Usernamepasswordcredentials UPC = new Usernamepasswordcredentials (username, password);

3. Set the authentication scope (Authscore Class)

String Strrealm = "<mydomain>";

String strhost = Url.gethost ();

int iport = Url.getport ();

Authscope as = new Authscope (Strhost, Iport, Strrealm);

4. Create a certification provider (Basiccredentials Class) based on as and UPC

Basiccredentialsprovider bcp=new Basiccredentialsprovider ();

Bcp.setcredentials (as, UPC);

5. Create HTTP client (Defaulthttpclient Class)

Defaulthttpclient client=new defaulthttpclient ();

6. Set up the authentication provider for this client

Client.setcredentialsprovider (BCP);

7. Create a Get Method (HttpGet Class) based on the URL address of the access

HttpGet hg= New HttpGet (URLSTR);

8. Executes the Get method and returns response

HttpResponse hr = Client.execute (Hg);

9. Retrieve the data from the response and use InputStreamReader to read the response entity:

String Line=null;

StringBuilder builder = new StringBuilder ();

BufferedReader reader = new BufferedReader (New InputStreamReader (Hr.getentity (). GetContent ()));

while (line = Reader.readline ())!= null) builder.append (line);

Strcontent=builder.tostring ();

Summarize

---Compare the implementation in Java, we can see that there is a large structure and implementation difference between the Apache.http library and Commons-httpclient Library in Andriod, which causes the java-based implementation not to be ported directly to Android.

---The above implementation is simple, logically clear and easy to understand, and does not involve technical details of more complex digest authentication, but is encapsulated by Credentialsprovider.

---the above implementation does not use the usual connection class, but the client class, which provides richer connectivity and state control functions, compared to connection simpler

---user name and password as part of the authentication framework rather than HTTP request, more secure

---There is no discussion of server-side implementations, I actually implement HTTP digest through rails. But in theory this certification is the standard.

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/OS/extra/