Of Stack

Discuss the principle and realization method of HTTP using BASIC authentication

  • 2020-05-16 07:00:14
  • OfStack

1. Overview of BASIC certification

In the process of HTTP protocol to communicate, HTTP protocol defines the basic certification process to allow the user to WEB HTTP server browser id method, when a client requests for data from the HTTP service, if the client is not certification, HTTP server will through the basic authentication process to authenticate the client user name and password, to determine whether the user is legitimate. The client receives the HTTP the identity of the server after the certification requirements, will prompt the user input user name and password, then put the user name and password to BASE64 encryption, the encrypted cryptograph will be attached to request information, such as when a user called anjuta, password is: 123456, the client use the user name and password ":" to merge, and strings that will be merged with BASE64 encryption cipher, and in every time the request data, attach cipher text in the request header (Request Header). After receiving the request packet, the HTTP server obtains additional user information (the user name and password encrypted by BASE64) from the client side according to the protocol, unlocks the request packet, and verifies the user name and password. If the user name and password are correct, it will return the data required by the client side according to the client's request. Otherwise, an error code is returned or the client is asked again for a username and password.

2. BASIC certification process

1. The client requests data from the server, and the requested content may be 1 web page or 1 other MIME type. At this time, assuming that the client has not been verified, the client provides the following request to the server:

Get /index.html HTTP/1.0
Host:www.google.com

2. The server sends the verification request code 401 to the client, and the data returned by the server is as follows:

HTTP/1.0 401 Unauthorised
Server: SokEvo/1.0
WWW-Authenticate: Basic realm="google.com"
Content-Type: text/html
Content-Length: xxx

3. When a client that conforms to http1.0 or 1.1 (e.g., IE, FIREFOX) receives the return value of 401, a login window will automatically pop up and ask the user to enter a user name and password.

4. After the user enters the user name and password, the user name and password are encrypted by BASE64 encryption method, and the ciphertext is put into the first request message, then the first request message sent by the client becomes as follows:

Get /index.html HTTP/1.0
Host:www.google.com
Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Note: xxxx... Represents the encrypted user name and password.

5. Upon receipt of the above request information, the server will extract and decrypt the user information in the field Authorization, and compare the decrypted user name and password with the user database for verification. If the user name and password are correct, the server will send the requested resource to the client according to the request:

3. Disadvantages of BASIC certification

The goal of HTTP basic authentication is to provide simple user authentication. The authentication process is straightforward and suitable for systems or devices with low security requirements, such as the authentication of the configuration page of the router used by everyone. The disadvantage is that there is no flexible and reliable authentication strategy, such as the inability to provide domain (domain or realm) authentication. In addition, the encryption strength of BASE64 is so low that it can only prevent sohu's search from finding it. Of course, HTTP basic certification system can also be combined with SSL or Kerberos to achieve a relatively high security performance of the certification system

4. BASIC certified JAVA implementation code 


HttpSession session=request.getSession();
     String user=(String)session.getAttribute("user");
     String pass;
     if(user==null){
       try{
        response.setCharacterEncoding("GBK");
        PrintWriter ut=response.getWriter();
        String authorization=request.getHeader("authorization");
        if(authorization==null||authorization.equals("")){
          response.setStatus(401);
          response.setHeader("WWW-authenticate","Basic realm=\" Please enter the administrator password \"");
          out.print(" I'm sorry you don't have access!! ");
          return;
        }
        String userAndPass=new String(new BASE64Decoder().decodeBuffer(authorization.split(" ")[1]));
        if(userAndPass.split(":").length<2){
          response.setStatus(401);
          response.setHeader("WWW-authenticate","Basic realm=\" Please enter the administrator password \"");
          out.print(" I'm sorry you don't have access!! ");
          return;
        }
        user=userAndPass.split(":")[0];
        pass=userAndPass.split(":")[1];
        if(user.equals("111")&&pass.equals("111")){
          session.setAttribute("user",user);
          RequestDispatcher dispatcher=request.getRequestDispatcher("index.jsp");
          dispatcher.forward(request,response);
        }else{
          response.setStatus(401);
          response.setHeader("WWW-authenticate","Basic realm=\" Please enter the administrator password \"");
          out.print(" I'm sorry you don't have access!! ");
          return;
        }
       }catch(Exception ex){
        ex.printStackTrace();
       }
     }else{
       RequestDispatcher dispatcher=request.getRequestDispatcher("index.jsp");
       dispatcher.forward(request,response);
}
Related articles: