On the principle and implementation method of HTTP using basic authentication
1、 Basic certification overview
In the process of communicating with the HTTP protocol, the HTTP protocol defines the basic authentication process to allow the HTTP server to authenticate the user ID of the web browser. When a client requests data from the HTTP server, if the client is not authenticated, the HTTP server will verify the user name and password of the client through the basic authentication process, To determine whether the user is legal. After receiving the identity authentication request from the HTTP server, the client will prompt the user to enter the user name and password, and then encrypt the user name and password with Base64. The encrypted ciphertext will be attached to the request information. For example, when the user name is anjuta and the password is 123456, the client will merge the user name and password with ":, The combined string is encrypted into ciphertext with Base64, and each time data is requested, Attach the ciphertext to the request header. Each time the HTTP server receives the request packet, it obtains the user information attached by the client according to the protocol (Base64 encrypted user name and password), unlock the request package and verify the user name and password. If the user name and password are correct, return the data required by the client according to the client's request; otherwise, return the error code or re request the client to provide the user name and password.
2、 Basic certification process
1. The client requests data from the server. The requested content may be a web page or other MIME type. At this time, assuming that the client has not been verified, the client provides the following request to the server:
Get /index. html HTTP/1.0 Host:www.google. com
2. The server sends the authentication request code 401 to the client, and the data returned by the server is as follows:
HTTP/1.0 401 Unauthorised Server: SokEvo/1.0 WWW-Authenticate: Basic realm="google.com" Content-Type: text/html Content-Length: xxx
3. When http1 0 or 1.1 standard clients (such as ie, Firefox) will automatically pop up a login window when receiving the 401 return value, asking the user to enter the user name and password.
4. After the user enters the user name and password, the user name and password are encrypted by base64 encryption, and the ciphertext is put into the previous request information, then the first request information sent by the client becomes as follows:
Get /index. html HTTP/1.0 Host:www.google. com Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Note: XXXX Indicates the encrypted user name and password.
5. After receiving the above request information, the server takes out and decrypts the user information behind the authorization field, compares and verifies the decrypted user name and password with the user database, and if the user name and password are correct, the server sends the requested resources to the client according to the request:
3、 Disadvantages of basic certification
The goal of HTTP basic authentication is to provide simple user authentication function. Its authentication process is simple and clear. It is suitable for systems or devices with low security requirements, such as the authentication of the configuration page of the router used by everyone. Almost all of them adopt this method. Its disadvantage is that there is no flexible and reliable authentication strategy. For example, it cannot provide domain or real authentication function. In addition, the encryption strength of Base64 is very low, which can only prevent Sohu from searching it. Of course, the HTTP basic authentication system can also be combined with SSL or Kerberos to realize an authentication system with high security performance (relatively)
4、 Java implementation code of basic authentication
The above is all about the principles and implementation methods of HTTP using basic authentication. I hope you can support programming tips~