Introduction
HttpClient supports three different types of http authentication schemes: Basic, Digest and NTLM. These can be used to authenticate with http servers or proxies.
Server Authentication
HttpClient handles authenticating with servers almost transparently, the only thing a developer must do is actually provide the login credentials. These credentials are stored in the HttpState instance and can be set or retrieved using the setCredentials(AuthScope authscope, Credentials cred)
and getCredentials(AuthScope authscope)
methods.
The automatic authorization built in to HttpClient can be disabled with the method setDoAuthentication(boolean doAuthentication)
in the HttpMethod class. The change only affects that method instance.
Preemptive Authentication
Preemptive authentication can be enabled within HttpClient. In this mode HttpClient will send the basic authentication response even before the server gives an unauthorized response in certain situations, thus reducing the overhead of making the connection. To enable this use the following:
client.getParams().setAuthenticationPreemptive(true);
Preemptive authentication mode also requires default Credentials to be set for the target or proxy host against which preemptive authentication is to be attempted. Failure to provide default credentials will render the preemptive authentication mode ineffective.
Credentials defaultcreds = new UsernamePasswordCredentials("username", "password");
client.getState().setCredentials(new AuthScope("myhost", 80, AuthScope.ANY_REALM), defaultcreds);
The preemptive authentication in HttpClient conforms to rfc2617:
A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the Proxy-Authorization header field without receiving another challenge from the proxy server.
Security aspects of server authentication
Use default credentials with caution when developing applications that may need to communicate with untrusted web sites or web applications. When preemptive authentication is activated or credentials are not explicitly given for a specific authentication realm and host HttpClient will use default credentials to try to authenticate with the target site. If you want to avoid sending sensitive credentials to an untrusted site, narrow the credentials scope as much as possible: always specify the host and, when known, the realm the credentials are intended for.
Setting credentials with AuthScope.ANY authentication scope (null
value for host and/or realm) is highly discouraged in production applications. Doing this will result in the credentials being sent for all authentication attempts (all requests in the case of preemptive authentication). Use of this setting should be limited to debugging only.
// To be avoided unless in debug mode
Credentials defaultcreds = new UsernamePasswordCredentials("username", "password");
client.getState().setCredentials(AuthScope.ANY, defaultcreds);
Proxy Authentication
Proxy authentication in HttpClient is almost identical to server authentication with the exception that the credentials for each are stored independantly. So for proxy authentication you must use setProxyCredentials(AuthScope authscope, Credentials cred)
and getProxyCredentials(AuthScope authscope)
.
Authentication Schemes
The following authentication schemes are supported by HttpClient.
Basic
Basic authentication is the original and most compatible authentication scheme for HTTP. Unfortunately, it is also the least secure as it sends the username and password unencrypted to the server. Basic authentication requires an instance of UsernamePasswordCredentials (which NTCredentials extends) to be available, either for the specific realm specified by the server or as the default credentials.
Digest
Digest authentication was added in the HTTP 1.1 protocol and while not being as widely supported as Basic authentication there is a great deal of support for it. Digest authentication is significantly more secure than basic authentication as it never transfers the actual password across the network, but instead uses it to encrypt a "nonce" value sent from the server.
Digest authentication requires an instance of UsernamePasswordCredentials (which NTCredentials extends) to be available either for the specific realm specified by the server or as the default credentials.
NTLM
NTLM is the most complex of the authentication protocols supported by HttpClient. It is a proprietary protocol designed by Microsoft with no publicly available specification. Early version of NTLM were less secure than Digest authentication due to faults in the design, however these were fixed in a service pack for Windows NT 4 and the protocol is now considered more secure than Digest authentication.
NTLM authentication requires an instance of NTCredentials be available for the domain name of the server or the default credentials. Note that since NTLM does not use the notion of realms HttpClient uses the domain name of the server as the name of the realm. Also note that the username provided to the NTCredentials should not be prefixed with the domain - ie: "adrian" is correct whereas "DOMAIN\adrian" is not correct.
There are some significant differences in the way that NTLM works compared with basic and digest authentication. These differences are generally handled by HttpClient, however having an understanding of these differences can help avoid problems when using NTLM authentication.
- NTLM authentication works almost exactly the same as any other form of authentication in terms of the HttpClient API. The only difference is that you need to supply 'NTCredentials' instead of 'UsernamePasswordCredentials' (NTCredentials actually extends UsernamePasswordCredentials so you can use NTCredentials right throughout your application if need be).
- The realm for NTLM authentication is the domain name of the computer being connected to, this can be troublesome as servers often have multiple domain names that refer to them. Only the domain name that HttpClient connects to (as specified by the HostConfiguration) is used to look up the credentials. It is generally advised that while initially testing NTLM authentication, you pass the realm in as null which is used as the default.
- NTLM authenticates a connection and not a request, so you need to authenticate every time a new connection is made and keeping the connection open during authentication is vital. Due to this, NTLM cannot be used to authenticate with both a proxy and the server, nor can NTLM be used with HTTP 1.0 connections or servers that do not support HTTP keep-alives.
For a detailed explanation of how NTLM authentication works, please see http://davenport.sourceforge.net/ntlm.html.
Alternate authentication
Some servers support multiple schemes for authenticating users. Given that only one scheme may be used at a time for authenticating, HttpClient must choose which scheme to use. To accompish this, HttpClient uses an order of preference to select the correct authentication scheme. By default this order is: NTLM, Digest, Basic.
In certain cases it may be desirable to change this default. The default preference of the authentication schemes may be altered using the 'http.auth.scheme-priority' parameter. The parameter value is expected to be a List of Strings containing names of authentication schemes in descending order of preference.
HttpClient client = new HttpClient();
List authPrefs = new ArrayList(2);
authPrefs.add(AuthPolicy.DIGEST);
authPrefs.add(AuthPolicy.BASIC);
// This will exclude the NTLM authentication scheme
client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs);
Custom authentication scheme
HttpClient natively supports basic, digest, and NTLM authentication. It also contains a mechanism to plugin additional custom authentication schemes via the AuthScheme interface. The following steps are required to make use of a custom authentication scheme.
- Implement the
AuthScheme
interface.
- Register the custom
AuthScheme
with AuthPolicy.registerAuthScheme().
- Include the custom
AuthScheme
in the AuthPolicy.AUTH_SCHEME_PRIORITY preference (see the Alternate authentication section).
Examples
There are a number of authentication examples in the example directory, including:
Known limitations and problems
-
Authentication schemes that rely on persistent connection state do not work on Sun's JVMs below 1.4 if SSL is used
For details please refer to the Known limitations and problems section of the SSL Guide
Workaround: Disable stale connection check or upgrade to Java 1.4 or above.
-
Cannot authenticate with Microsoft IIS using NTLM authentication scheme
NT Lan Manager (NTLM) authentication is a proprietary, closed challenge/response authentication protocol for Microsoft Windows. Only some details about NTLM protocol are available through reverse engineering. HttpClient provides limited support for what is known as NTLMv1, the early version of the NTLM protocol. HttpClient does not support NTLMv2 at all.
Workaround: Disable NTLMv2. For details refer to this Microsoft Support Article
Troubleshooting
Some authentication schemes may use cryptographic algorithms. It is recommended to include the Java Cryptography Extension in your runtime environment prior to JDK 1.4. Also note that you must register the JCE implementation manually as HttpClient will not do so automatically. For instance to register the Sun JCE implementation, you should execute the following code before attempting to use HttpClient.
String secProviderName = "com.sun.crypto.provider.SunJCE");
java.security.Provider secProvider =
(java.security.Provider)Class.forName(secProviderName).newInstance();
Security.addProvider(secProvider);
相关推荐
通过httpclient post去获取,response返回码是302,返回的code放在header的Location中。 请求的时候client_id,response_type,redirect_uri,state拼接在url后面,account和password放在body表单(x-...
但是考虑到一些服务授权的问题,很多公司提供的页面往往并不是可以通过一个简单的URL就可以访问的,而必须经过注册然后登录后方可使用提供服务的页面,这个时候就涉及到COOKIE问题的处理。我们知道目前流行的***页...
出于安全性的需要和用户授权管理的考虑,常见的 J2EE 站点对特定资源都会加入认证/授权机制。例如一个公网上的论坛,一个只对特定用户开放的 RSS 或 Atom Feed,这些资源都必须在确信访问者为被授权用户时才能向访问...
通过winform使用httpclient客户端调用webApi接口,api使用oauth2.0权限控制,调用接口需要进行token获取认证、
commons-beanutils-1.8.3.jar,commons-codec-1.10.jar,commons-collections-3.2.1.jar,commons-httpclient-3.1.jar,commons-lang-2.6.jar,commons-logging-1.2.jar,ezmorph-1.0.6.jar,httpclient-4.5.2.jar,...
简单实用的获取微信公众号用户的信息 /* *微信认证获取openid部分: ... string result = HttpClientHelper.GetResponse(url); LogHelper.Debug(result); JObject outputObj = JObject.Parse(result);
课程目标学会用微信授权登录,绑定自己的业务系统适用人群同学们需要熟悉Java开发,了解OAuth2.0课程简介让同学们快速撑握OAuth2.0,实现微信授权登录,开发工具采用SpringBoot2.x,通过HttpClient调用微信授权接口 ...
它简化了传统APP繁琐的注册登录流程,支持微信一键授权登录,极大地提升了用户体验。用户通过搜索或扫描二维码,瞬间即可开启使用,享受快速加载、流畅运行的服务。 该小程序界面设计简洁明了,布局合理,易于上手...
让同学们快速撑握OAuth2.0,实现QQ授权登录,开发工具采用SpringBoot2.x,通过HttpClient调用QQ授权接口 ,通过本次5节视频轻松学习? ??
Java 实现HTTP BasicAuth服务端代码,压缩包为Eclipse工程,导入即可运行
1,快速实现授权验证 什么是 JWT ?为什么要用 JWT ?JWT 的组成? 这些百度可以直接找到,这里不再赘述。 实际上,只需要知道 JWT 认证模式是使用一段 Token 作为认证依据的手段。 我们看一下 Postman 设置 Token ...
HttpClient httpclient = new DefaultHttpClient(); HttpResponse httpResponse = httpclient.execute(httpRequest); //提交 int statusCode=httpResponse.getStatusLine().getStatusCode(); //获得结果码200是...
nopCommerce程序中触发指定计划任务服务的方式是:把当前程序定义的发指定计划任务服务,定义为第3方服务(由HttpClient实例所调用),再有当前程序通过定时器(Timer)方法成员自动触发并执行后,通过移步任务(Task)...
小米帐号开放平台OAuth PHP SDK使用说明小米OAuth简介小米帐号开放平台文档PHP SDK说明php-sdk/httpclient/XMApiClient.php -- 基础Http请求封装php-sdk/httpclient/XMOAuthClient.php -- 针对OAuth授权流程相关http...
授权步骤顺序 1.原始服务器AuthServer请求的C#代码。 /* * Authenticated request example */ HttpClient httpClient = new HttpClient (); string response = await ( await httpClient . GetAsync ( " ...
提供控制器集成和授权支持。 安装 使用 composer require tsingsun/yii2-graphql 类型 类型系统是GraphQL的核心,它体现在GraphQLType 。 通过解构GraphQL协议并使用库实现对所有元素的细粒度控制,可以方便地根据...
简介: weixin-popular 包括微信公众平台基础API与支付API,提供便捷的API调用接口. API 列表: TokenAPI access_token 获取 MediaAPI 多媒体上传下载(临时素材) ...
用于使用令牌针对OAuth服务器授权请求和管理令牌的库。 图书馆: 是完全线程安全的 支持以下请求: HttpClient,WebClient,HttpWebRequest 有能力服务更多的客户 用.NET Standard 2.1编写 使用例 在使用* ...
添加SendMail.java发件邮箱授权码。 下载地址: 实现功能 自动登录stackoverflow 项目简要说明 使用HttpClient,附带表单参数,向stackoverflow发送post请求 开发说明流程 使用浏览器分析stackoverflow的登录页面...
支持 API 授权在单页面应用 (Spa) 中提供身份验证、实现 Open ID Connect 的IdentityServer结合。 Worker Service 模板,为开发做服务或监控微服务相关Bus Microsoft.Data.SqlClient:独立存在于.NET Framework和...