HttpClient 4 身份验证

简介

这篇文章简述 在 Apache HttpClient 4 中的身份验证

经过API身份验证

下面，咱们按标准的配置来进行身份验证。经过 CredentialsProvider

CredentialsProvider provider = new BasicCredentialsProvider();
UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("user1", "user1Pass");
provider.setCredentials(AuthScope.ANY, credentials);
HttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build();

HttpResponse response = client.execute(new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION));
int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

你能够看到。建立客户端的身份验证并不难。 如今咱们看一下它的日志，了解一下HttpClient 在后面作了些什么事。

... request is sent with no credentials

[main] DEBUG ... - Authentication required [main] DEBUG ... - localhost:8080 requested authentication [main] DEBUG ... - Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic] [main] DEBUG ... - Challenge for negotiate authentication scheme not available [main] DEBUG ... - Challenge for Kerberos authentication scheme not available [main] DEBUG ... - Challenge for NTLM authentication scheme not available [main] DEBUG ... - Challenge for Digest authentication scheme not available [main] DEBUG ... - Selected authentication options: [BASIC]

... the request is sent again - with credentials

整个客户端和服务段的通讯以下：

• 发送一个没有身份的 HTTP 请求。
• 服务端返回一个信息
• 由客户端来识别，发送一个正确的身份验证
• 客户端再次发送一个有身份验证的请求

主动身份验证

上面咱们看到。HttpClient 并不主动经行身份验证。这里，咱们须要在客户端发出明确的验证信息。 首先，咱们须要建立一个 HttpContext — 将身份验证信息和验证方案预先缓存。

HttpHost targetHost = new HttpHost("localhost", 8080, "http");
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, 
  new UsernamePasswordCredentials(DEFAULT_USER, DEFAULT_PASS));

AuthCache authCache = new BasicAuthCache();
authCache.put(targetHost, new BasicScheme());

// Add AuthCache to the execution context
final HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);
context.setAuthCache(authCache);

如今咱们能够使用这个上下文，发送一个预存的身份验证。

HttpClient client = HttpClientBuilder.create().build();
response = client.execute(new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION), context);

int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

看下日志：

[main] DEBUG ... - Re-using cached 'basic' auth scheme for http://localhost:8080 [main] DEBUG ... - Executing request GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... >> GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... >> Host: localhost:8080 [main] DEBUG ... >> Authorization: Basic dXNlcjE6dXNlcjFQYXNz [main] DEBUG ... << HTTP/1.1 200 OK [main] DEBUG ... - Authentication succeeded

目测，没什么问题。

• 基本验证被选择了。
• 发送一个 验证头文件( Authorization header)
• 服务器返回 200
• 验证成功

原始 HTTP Headers 基本

预存验证信息就是发送的验证文件头( Authorization header).其实，咱们不用那么复杂。咱们能够本身构建一个头文件

HttpGet request = new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION);
String auth = DEFAULT_USER + ":" + DEFAULT_PASS;
byte[] encodedAuth = Base64.encodeBase64(auth.getBytes(Charset.forName("US-ASCII")));
String authHeader = "Basic " + new String(encodedAuth);
request.setHeader(HttpHeaders.AUTHORIZATION, authHeader);

HttpClient client = HttpClientBuilder.create().build();
HttpResponse response = client.execute(request);

int statusCode = response.getStatusLine().getStatusCode();
assertThat(statusCode, equalTo(HttpStatus.SC_OK));

看下是否工做正常

[main] DEBUG ... - Auth cache not set in the context [main] DEBUG ... - Opening connection {}->http://localhost:8080 [main] DEBUG ... - Connecting to localhost/127.0.0.1:8080 [main] DEBUG ... - Executing request GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... - Proxy auth state: UNCHALLENGED [main] DEBUG ... - http-outgoing-0 >> GET /spring-security-rest-basic-auth/api/foos/1 HTTP/1.1 [main] DEBUG ... - http-outgoing-0 >> Authorization: Basic dXNlcjE6dXNlcjFQYXNz [main] DEBUG ... - http-outgoing-0 << HTTP/1.1 200 OK

咱们看到，即便不用预存验证信息咱们也能经过验证信息。

结束

文章演示了在 HttpClient 4 中，各类方法来设置和使用基本的身份验证