JAVA Http Basic auth

本文轉載自查看原文 2017-12-06 11:43 6852 JAVA

一、Http Base Auth 方式

當訪問一個Http Basic Auth 網站的時候需要提供用戶名，密碼，否則會返回401 (without authoration)。

Http Basic Authentication認證有2種方式：

1、請求頭部Authorization 中添加用戶名/密碼的base64 編碼字符串。

2、url中拼用戶名和密碼。

市面上大部分瀏覽器支持url拼用戶名，密碼的方式訪問，

代碼不支持這種url 拼用戶名，密碼。

二、Http Basic Auth 原理

在HTTP協議進行通信的過程中，HTTP協議定義了基本認證過程以允許HTTP服務器對WEB瀏覽器進行用戶身份認證的方法，當一個客戶端向HTTP服務器進行數據請求時，

如果客戶端未被認證，則HTTP服務器將通過基本認證過程對客戶端的用戶名及密碼進行驗證，以決定用戶是否合法。

客戶端在接收到HTTP服務器的身份認證要求后，會提示用戶輸入用戶名及密碼，用戶輸入后，

客戶端將用戶名和密碼中間用“：”分隔合並，並將合並后的字符串用BASE64編碼，在每次請求數據時，將密文附加於請求頭（Request Header）Authorization: Basic XXXXXXX中。

HTTP服務器在每次收到請求包后，根據協議取得客戶端附加的用戶信息（BASE64編碼的用戶名和密碼），解開請求包，對用戶名及密碼進行驗證，

如果用戶名及密碼正確，則根據客戶端請求，返回客戶端所需要的數據;否則，返回錯誤代碼或重新要求客戶端提供用戶名及密碼。

三、Basic Auth 的優缺點

優點：提供簡單的用戶驗證功能，其認證過程簡單明了，適合於對安全性要求不高的系統或設備中。

缺點：輸入的用戶名，密碼 base64編碼后會出現在Authorization里，很容易被解析出來。


/*
 * ====================================================================
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 */
package org.apache.http.examples.client;

import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.AuthCache;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

/**
 * An example of HttpClient can be customized to authenticate
 * preemptively using BASIC scheme.
 * <b>
 * Generally, preemptive authentication can be considered less
 * secure than a response to an authentication challenge
 * and therefore discouraged.
 */
public class ClientPreemptiveBasicAuthentication {

    public static void main(String[] args) throws Exception {
        HttpHost target = new HttpHost("httpbin.org", 80, "http");
        CredentialsProvider credsProvider = new BasicCredentialsProvider();
        credsProvider.setCredentials(
                new AuthScope(target.getHostName(), target.getPort()),
                new UsernamePasswordCredentials("user", "passwd"));
        CloseableHttpClient httpclient = HttpClients.custom()
                .setDefaultCredentialsProvider(credsProvider).build();
        try {

            // Create AuthCache instance
            AuthCache authCache = new BasicAuthCache();
            // Generate BASIC scheme object and add it to the local
            // auth cache
            BasicScheme basicAuth = new BasicScheme();
            authCache.put(target, basicAuth);

            // Add AuthCache to the execution context
            HttpClientContext localContext = HttpClientContext.create();
            localContext.setAuthCache(authCache);

            HttpGet httpget = new HttpGet("http://httpbin.org/hidden-basic-auth/user/passwd");

            System.out.println("Executing request " + httpget.getRequestLine() + " to target " + target);
            for (int i = 0; i < 3; i++) {
                CloseableHttpResponse response = httpclient.execute(target, httpget, localContext);
                try {
                    System.out.println("----------------------------------------");
                    System.out.println(response.getStatusLine());
                    System.out.println(EntityUtils.toString(response.getEntity()));
                } finally {
                    response.close();
                }
            }
        } finally {
            httpclient.close();
        }
    }

}

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 HTTP Basic auth認證 java 發送帶Basic Auth認證的http post請求 apache配置http basic auth python+requests——http basic auth認證 Http basic Auth 認證方式幫助類 Nginx下配置Http Basic Auth java 發送帶Basic Auth認證的http post請求實例代碼精講RestTemplate第9篇-如何通過HTTP Basic Auth認證 Nginx密碼驗證 ngx_http_auth_basic_module模塊 nginx安全: 配置http基本驗證(Basic Auth)(nginx 1.18.0)