HttpClient 4 身份驗證

簡介

這篇文章簡述 在 Apache HttpClient 4 中的身份驗證

經過API身份驗證

下面，咱們按標準的配置來進行身份驗證。經過 CredentialsProvider

CredentialsProvider provider = new BasicCredentialsProvider();
UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("user1", "user1Pass");
provider.setCredentials(AuthScope.ANY, credentials);
HttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build();

HttpResponse response = client.execute(new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION));
int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

你能夠看到。建立客戶端的身份驗證並不難。 如今咱們看一下它的日誌，瞭解一下HttpClient 在後面作了些什麼事。

... request is sent with no credentials

[main] DEBUG ... - Authentication required [main] DEBUG ... - localhost:8080 requested authentication [main] DEBUG ... - Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic] [main] DEBUG ... - Challenge for negotiate authentication scheme not available [main] DEBUG ... - Challenge for Kerberos authentication scheme not available [main] DEBUG ... - Challenge for NTLM authentication scheme not available [main] DEBUG ... - Challenge for Digest authentication scheme not available [main] DEBUG ... - Selected authentication options: [BASIC]

... the request is sent again - with credentials

整個客戶端和服務段的通訊以下：

• 發送一個沒有身份的 HTTP 請求。
• 服務端返回一個信息
• 由客戶端來識別，發送一個正確的身份驗證
• 客戶端再次發送一個有身份驗證的請求

主動身份驗證

上面咱們看到。HttpClient 並不主動經行身份驗證。這裏，咱們須要在客戶端發出明確的驗證信息。 首先，咱們須要建立一個 HttpContext — 將身份驗證信息和驗證方案預先緩存。

HttpHost targetHost = new HttpHost("localhost", 8080, "http");
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, 
  new UsernamePasswordCredentials(DEFAULT_USER, DEFAULT_PASS));

AuthCache authCache = new BasicAuthCache();
authCache.put(targetHost, new BasicScheme());

// Add AuthCache to the execution context
final HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);
context.setAuthCache(authCache);

如今咱們能夠使用這個上下文，發送一個預存的身份驗證。

HttpClient client = HttpClientBuilder.create().build();
response = client.execute(new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION), context);

int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

看下日誌：

[main] DEBUG ... - Re-using cached 'basic' auth scheme for http://localhost:8080 [main] DEBUG ... - Executing request GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... >> GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... >> Host: localhost:8080 [main] DEBUG ... >> Authorization: Basic dXNlcjE6dXNlcjFQYXNz [main] DEBUG ... << HTTP/1.1 200 OK [main] DEBUG ... - Authentication succeeded

目測，沒什麼問題。

• 基本驗證被選擇了。
• 發送一個 驗證頭文件( Authorization header)
• 服務器返回 200
• 驗證成功

原始 HTTP Headers 基本

預存驗證信息就是發送的驗證文件頭( Authorization header).其實，咱們不用那麼複雜。咱們能夠本身構建一個頭文件

HttpGet request = new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION);
String auth = DEFAULT_USER + ":" + DEFAULT_PASS;
byte[] encodedAuth = Base64.encodeBase64(auth.getBytes(Charset.forName("US-ASCII")));
String authHeader = "Basic " + new String(encodedAuth);
request.setHeader(HttpHeaders.AUTHORIZATION, authHeader);

HttpClient client = HttpClientBuilder.create().build();
HttpResponse response = client.execute(request);

int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

看下是否工做正常

[main] DEBUG ... - Auth cache not set in the context [main] DEBUG ... - Opening connection {}->http://localhost:8080 [main] DEBUG ... - Connecting to localhost/127.0.0.1:8080 [main] DEBUG ... - Executing request GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... - Proxy auth state: UNCHALLENGED [main] DEBUG ... - http-outgoing-0 >> GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... - http-outgoing-0 >> Authorization: Basic dXNlcjE6dXNlcjFQYXNz [main] DEBUG ... - http-outgoing-0 << HTTP/1.1 200 OK

咱們看到，即便不用預存驗證信息咱們也能經過驗證信息。

結束

文章演示了在 HttpClient 4 中，各類方法來設置和使用基本的身份驗證