one. Overview of BASIC Certification
During the HTTP protocol communication process, the HTTP protocol defines the basic authentication process to allow the HTTP server to perform user ID cards on the WEB browser. When a client makes a data request to the HTTP server, if the client is not authenticated, the HTTP server will verify the client's user name and password through the basic authentication process to determine whether the user is legal. After receiving the HTTP server's identity authentication request, the client will prompt the user to enter the user name and password, and then encrypt the user name and password with BASE64. The encrypted ciphertext will be attached to the request information. For example, when the user name is anjuta and the password is: 123456, the client merges the user name and password with ":", and encrypts the merged string with BASE64 as ciphertext, and appends the ciphertext to the request header each time the data is requested. After each time the HTTP server receives the request packet, it obtains the user information attached to the client (BASE64 encrypted username and password) according to the protocol, unwraps the request packet, and verifies the username and password. If the username and password are correct, it returns the data required by the client according to the client's request; otherwise, it returns an error code or re-requests the client to provide the username and password.
two. The process of BASIC certification
1. The client requests data from the server, and the requested content may be a web page or another MIME type. At this time, assuming that the client has not been verified yet, the client provides the following request to the server:
Get /index.html HTTP/1.0
Host:www.google.com
2. The server sends the verification request code 401 to the client, and the data returned by the server is roughly as follows:
HTTP/1.0 401 Unauthorised
Server: SokEvo/1.0
WWW-Authenticate: Basic realm="google.com"
Content-Type: text/html
Content-Length: xxx
3. When a client compliant with the http1.0 or 1.1 specification (such as IE, FIREFOX) receives a 401 return value, a login window will automatically pop up, requiring the user to enter the user name and password.
4. After the user enters the user name and password, the user name and password are encrypted in BASE64 encryption, and the ciphertext is placed in the previous request information. The first request information sent by the client becomes the following content:
Get /index.html HTTP/1.0
Host:www.google.com
Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Note: xxxx.... represents the encrypted username and password.
5. After receiving the above request information, the server retrieves and decrypts the user information after the Authorization field, and compares and verifies the decrypted user name and password with the user database. If the user name and password are correct, the server will send the requested resource to the client according to the request:
three. Disadvantages of BASIC certification
The goal of HTTP basic authentication is to provide simple user authentication functions. The authentication process is simple and clear, and is suitable for systems or devices with low security requirements. For example, the authentication of the configuration page of the router used by everyone is almost always adopted. The disadvantage is that it does not have a flexible and reliable authentication strategy, such as the inability to provide domain (domain or realm) authentication function. In addition, BASE64's encryption strength is very low, which can only prevent sohu's search from searching it. Of course, the HTTP basic authentication system can also be combined with SSL or Kerberos to achieve a authentication system with high security performance (relatively)
Four. BASIC certified JAVA implementation code
HttpSession session=request.getSession(); String user=(String)session.getAttribute("user"); String pass; if(user==null){ try{ response.setCharacterEncoding("GBK"); PrintWriter ut=response.getWriter(); String authorization=request.getHeader("authorization"); if(authorization==null||authorization.equals("")){ response.setStatus(401); response.setHeader("WWW-authenticate","Basic realm=/"Please enter the administrator password/""); out.print("Sorry for not having permission!!"); return; } String userAndPass=new String(new BASE64Decoder().decodeBuffer(authorization.split("" ")[1])); if(userAndPass.split(":").length<2){ response.setStatus(401); response.setHeader("WWW-authenticate","Basic realm=/"Please enter the administrator password/""); out.print("Sorry for not having permission!!"); return; } user=userAndPass.split(":")[0]; pass=userAndPass.split(":")[1]; if(user.equals("111")&&pass.equals("111")){ session.setAttribute("user",user); RequestDispatcher dispatcher=request.getRequestDispatcher("index.jsp"); dispatcher.forward(request,response); }else{ response.setStatus(401); response.setHeader("WWW-authenticate","Basic realm=/"Please enter the administrator password/""); out.print("Sorry, you don't have permission! ! "); return; } }catch(Exception ex){ ex.printStackTrace(); } }else{ RequestDispatcher dispatcher=request.getRequestDispatcher("index.jsp"); dispatcher.forward(request,response);}The above is the brief discussion on the principles and implementation methods of HTTP using BASIC authentication brought to you. I hope everyone can support Wulin.com more~