The principle and realization method of using Basic authentication in HTTP _java

A Basic Certification Overview

In the process of communicating with the HTTP protocol, the HTTP protocol defines the Basic authentication process to allow the HTTP server to make a user ID card for the Web browser, and when a client makes a data request to the HTTP server, if the client is not authenticated, The HTTP server authenticates the client's username and password through the Basic authentication process to determine whether the user is legitimate. After the client receives the identity authentication requirements of the HTTP server, prompts the user to enter the username and password, then the username and password to BASE64 encryption, encrypted ciphertext will be appended to the request information, such as when the user name is Anjuta, the password is: 123456, the client will username and password used: "Merges and encrypts the merged string into ciphertext with BASE64, and attaches the redaction to the request header each time the data is requested." HTTP server after each receive request package, according to the protocol to obtain client additional user information (BASE64 encrypted username and password), unlock the request package, the user name and password to verify, if the user name and password is correct, according to the client request, return the data required by the client; Returns an error code or requests the client to provide a username and password.

Two The process of Basic authentication

1. The client requests data from the server, which may be a Web page or a different MIME type, at which point the client provides the following request to the server, assuming that the client has not been validated:

Get/index.html http/1.0
Host:www.google.com

2. The server sends authentication request code 401 to the client, and the data returned by the server is probably as follows:

http/1.0 401 Unauthorised
server:sokevo/1.0
Www-authenticate:basic realm= "google.com"
Content-type:text/html
Content-length:xxx

3. When a client (such as Ie,firefox) that conforms to the HTTP1.0 or 1.1 specification receives a 401 return value, a login window automatically pops up requiring the user to enter a username and password.

4. When the user enters the username and password, encrypts the username and password in BASE64 encryption and puts the cipher in the previous request message, the first request message sent by the client becomes the following:

Get/index.html http/1.0
Host:www.google.com
Authorization:basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Note: xxxx .... Represents the encrypted user name and password.

5. After the server receives the above request information, the user information after the authorization field is taken out, decrypted, and the decrypted username and password are compared with the user database, if the username and password are correct, the server sends the requested resource to the client according to the request:

Three Disadvantages of Basic Authentication

The goal of HTTP Basic authentication is to provide simple user authentication, its authentication process is simple, suitable for the security requirements of the system or equipment, such as the router's configuration page of the authentication, almost all taken this approach. The disadvantage is that there is no flexible and reliable authentication strategy, such as the domain (domains or realm) authentication function can not be provided, in addition, BASE64 encryption strength is very low, can be said only to prevent Sohu search to find it. Of course, the HTTP Basic authentication system can also be combined with SSL or Kerberos to achieve a higher security performance (relative) authentication system

Four Basic-certified Java Implementation Code

HttpSession session=request.getsession ();
     String user= (String) session.getattribute ("User");
     String Pass;
        if (user==null) {try{response.setcharacterencoding ("GBK");
        PrintWriter Ut=response.getwriter ();
        String Authorization=request.getheader ("Authorization"); if (authorization==null| |
          Authorization.equals ("")) {response.setstatus (401);
          Response.setheader ("Www-authenticate", "Basic realm=\", please enter the administrator password \ ""); Out.print ("Sorry you don't have permission!!")
          ");
        Return
        String Userandpass=new string (new Base64decoder (). Decodebuffer (Authorization.split ("") [1]));
          if (Userandpass.split (":"). length<2) {response.setstatus (401);
          Response.setheader ("Www-authenticate", "Basic realm=\", please enter the administrator password \ ""); Out.print ("Sorry you don't have permission!!")
          ");
        Return
        } user=userandpass.split (":") [0];
        Pass=userandpass.split (":") [1]; if (User.equals ("a") &&pass.equals ("111")) {Session.setattribute ("user", user);
          RequestDispatcher dispatcher=request.getrequestdispatcher ("index.jsp");
        Dispatcher.forward (Request,response);
          }else{Response.setstatus (401);
          Response.setheader ("Www-authenticate", "Basic realm=\", please enter the administrator password \ ""); Out.print ("Sorry you don't have permission!!")
          ");
        Return
       }}catch (Exception ex) {ex.printstacktrace ();
       }}else{RequestDispatcher Dispatcher=request.getrequestdispatcher ("index.jsp");
Dispatcher.forward (Request,response); }

The above is a small series for everyone to talk about the principle of using Basic authentication and the implementation method of HTTP all content, I hope that we support cloud-Habitat Community ~