Use Apache httpclient to break Java site certification

Most commercial Web sites provide site authentication to protect certain limited resources, HTTP protocol and Java EE specification of the WEB site certification process has been detailed definition, common browsers can provide the corresponding interface form to help users complete the site certification process. However, in some cases, we need to write programs directly to obtain the site's protected resources, in such cases, we can not use the browser given the interface to complete the authentication, but we need to manually send the corresponding request according to different protocols to complete the entire certification process. Based on this requirement, this paper gives a solution based on the Apache httpclient application package.

The introduction of Java EE site certification

For security needs and user authorization management considerations, the common Java site for specific resources will be added to the authentication/authorization mechanism. For example, a public online forum, an RSS or Atom feed that is open only to specific users, must be open to visitors when they are convinced that the visitor is an authorized user. In order to achieve such a function, the Java EE site will usually adopt some kind of site authentication mechanism, among them common have HTTP Basic authentication and Java EE form-based authentication.

HTTP Basic Authentication

HTTP Basic authentication is the standard authentication method defined by the HTTP Authentication Protocol (RFC2617). A server that requires HTTP Basic authentication will issue a request to the client when the client accesses a protected resource, requiring the client to upload a username and password pair. The server returns the contents of the protected resource to the client after receiving the username/password and verifying that it is passed. Its working mechanism is shown below:

Figure 1. HTTP Basic Authentication principle

Because it is an HTTP specification, the common browser, such as Internet Explorer,mozilla Firefox, will pop up the authentication dialog box when you receive the server's request for a username and password in step 2 for the user to enter a username/password.

Figure 2. Firefox User name/password input box that pops up when you receive the request in step 2

HTTP Basic authentication method uses Base64 encoding to transmit username and password, and Base64 is only a public encoding format rather than encryption measures, so if the channel itself does not use SSL and other security protocols, user passwords are easier to intercept.