HttpClient学习研究---第四章：HTTP authenticationHTTP身份验证

• Parse and process the challenge sent by the target server in response to request for a protected resource.解析和处理挑战目标服务器发送的响应请求一个受保护的资源。

• Provide properties of the processed challenge: the authentication scheme type and its parameters, such the realm this authentication scheme is applicable to, if available提供属性的处理的挑战:身份验证方案类型及其参数,这样的领域这身份验证方案适用于,如果可用

• Generate the authorization string for the given set of credentials and the HTTP request in response to the actual authorization challenge.生成授权字符串给定组凭证和HTTP请求响应实际的授权的挑战。

• Basic:基本的:Basic authentication scheme as defined in RFC 2617. 基本身份验证方案在RFC 2617中定义的。This authentication scheme is insecure, as the credentials are transmitted in clear text. 这种身份验证方案是不安全的,因为凭证是明文传输的。Despite its insecurity Basic authentication scheme is perfectly adequate if used in combination with the TLS/SSL encryption.尽管它不安全感基本身份验证方案是完全足够如果用于结合TLS / SSL加密。

• Digest.消化。Digest authentication scheme as defined in RFC 2617. 摘要式身份验证方案在RFC 2617中定义的。Digest authentication scheme is significantly more secure than Basic and can be a good choice for those applications that do not want the overhead of full transport security through TLS/SSL encryption.摘要式身份验证方案明显更安全比基本和可以是一个不错的选择对于那些不希望应用程序的开销全部运输安全通过TLS / SSL加密。

• NTLM:NTLM:NTLM is a proprietary authentication scheme developed by Microsoft and optimized for Windows platforms. 是一个专有NTLM身份验证方案由微软开发和优化了Windows平台。NTLM is believed to be more secure than Digest.NTLM被认为是更安全比消化。

• SPNEGO:SPNEGO: SPNEGO (S年代imple and几种具体实现和 Pprotected包装 GSSAPI Negonegotiation Mechanism) is atiation机制)是一个 GSSAPI"pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms. “伪机制”,用于谈判的几种可能的真正机制。SPNEGO's most visible use is in Microsoft'sSPNEGO最可见的使用是在微软的 HTTP Negotiateauthentication extension. 身份验证扩展。The negotiable sub-mechanisms include NTLM and Kerberos supported by Active Directory. 子机制的可转让包括NTLM和Kerberos支持活动目录。At present HttpClient only supports the Kerberos sub-mechanism.目前国内外HttpClient只支持Kerberos。

• Kerberos:Kerberos:Kerberos authentication implementation.Kerberos身份验证实现。

• Lookupinstance representing the actual authentication scheme registry. 实例代表实际的验证方案注册表。The value of this attribute set in the local context takes precedence over the default one.这个属性的值设置在本地上下文优先于默认的一个。

• CredentialsProviderinstance representing the actual credentials provider. 实例代表实际的凭证提供者。The value of this attribute set in the local context takes precedence over the default one.这个属性的值设置在本地上下文优先于默认的一个。

• AuthStateinstance representing the actual target authentication state. 实例代表实际的目标身份验证状态。The value of this attribute set in the local context takes precedence over the default one.这个属性的值设置在本地上下文优先于默认的一个。

• AuthStateinstance representing the actual proxy authentication state. 实例代表实际的代理身份验证状态。The value of this attribute set in the local context takes precedence over the default one.这个属性的值设置在本地上下文优先于默认的一个。

• AuthCacheinstance representing the actual authentication data cache. 实例代表实际的验证数据缓存。The value of this attribute set in the local context takes precedence over the default one.这个属性的值设置在本地上下文优先于默认的一个。

The这个 NTLMauthentication scheme is significantly more expensive in terms of computational overhead and performance impact than the standard身份验证方案是更昂贵的计算开销和性能方面比标准的影响 Basicand和 Digestschemes. 方案。This is likely to be one of the main reasons why Microsoft chose to make这可能是一个主要的原因为什么微软选择了把 NTLMauthentication scheme stateful. 身份验证方案状态。That is, once authenticated, the user identity is associated with that connection for its entire life span. 也就是说,一旦用户通过身份认证,身份是与之相关的连接对其整个生命周期。The stateful nature of有状态的本质 NTLMconnections makes connection persistence more complex, as for the obvious reason persistent连接使连接持久性更复杂的,因为很明显的原因持久 NTLMconnections may not be re-used by users with a different user identity. 连接可能不被重用,用户用一个不同的用户身份。The standard connection managers shipped with HttpClient are fully capable of managing stateful connections. 附带的标准连接经理HttpClient完全有能力管理有状态连接。However, it is critically important that logically related requests within the same session use the same execution context in order to make them aware of the current user identity. 然而,它是非常重要的,逻辑上相关的请求在同一会话中使用相同的执行上下文为了使他们意识到当前用户身份。Otherwise, HttpClient will end up creating a new HTTP connection for each HTTP request against否则,HttpClient最终将创建一个新的HTTP连接每个HTTP请求的反对 NTLMprotected resources. 受保护的资源。For detailed discussion on stateful HTTP connections please refer to详细的讨论有状态的HTTP连接请参考this这section.部分。

As作为 NTLMconnections are stateful it is generally recommended to trigger连接���态通常建议来触发 NTLMauthentication using a relatively cheap method, such as身份验证使用相对便宜的方法,如 GETor或 HEAD, and re-use the same connection to execute more expensive methods, especially those enclose a request entity, such as,和重用相同的连接来执行更多的昂贵的方法,尤其是那些附上一个请求的实体,如 POSTor或 PUT.

CloseableHttpClient httpclient = <...>

CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY,
        new NTCredentials("user", "pwd", "myworkstation", "microsoft.com"));

HttpHost target = new HttpHost("www.microsoft.com", 80, "http");

// Make sure the same context is used to execute logically related requests
HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);

// Execute a cheap method first. This will trigger NTLM authentication
HttpGet httpget = new HttpGet("/ntlm-protected/info");
CloseableHttpResponse response1 = httpclient.execute(target, httpget, context);
try {
    HttpEntity entity1 = response1.getEntity();
} finally {
    response1.close();
}

// Execute an expensive method next reusing the same context (and connection)
HttpPost httppost = new HttpPost("/ntlm-protected/form");
httppost.setEntity(new StringEntity("lots and lots of data"));
CloseableHttpResponse response2 = httpclient.execute(target, httppost, context);
try {
    HttpEntity entity2 = response2.getEntity();
} finally {
    response2.close();
}
  

The这个 SPNEGOauthentication scheme is compatible with Sun Java versions 1.5 and up. 身份验证方案兼容Sun Java版本1.5和起来。However the use of Java >= 1.6 is strongly recommended as it supports然而使用Java > = 1.6是强烈推荐的,因为它支持 SPNEGOauthentication more completely.身份验证更完全。

The Sun JRE provides the supporting classes to do nearly all the Kerberos and太阳JRE提供了支持类做几乎所有的Kerberos和 SPNEGOtoken handling. 令牌处理。This means that a lot of the setup is for the GSS classes. 这意味着大量的设置是为GSS类。The这个 SPNegoSchemeis a simple class to handle marshalling the tokens and reading and writing the correct headers.是一个简单的类处理编组的令牌和读写正确的标题。

The best way to start is to grab the最好的开始方式是抓起 KerberosHttpClient.javafile in examples and try and get it to work. 文件的例子,试着让它工作。There are a lot of issues that can happen but if lucky it'll work without too much of a problem. 有很多问题会发生但如果幸运会工作没有太大的问题。It should also provide some output to debug with.它还应该提供一些输出调试用。

In Windows it should default to using the logged in credentials; this can be overridden by using 'kinit' e.g.在Windows中它应该默认为使用登录凭证;这也能被使用的kinit”如。 $JAVA_HOME\bin\kinit testuser@AD.EXAMPLE.NET, which is very helpful for testing and debugging issues. ,这是非常有用的对于测试和调试问题。Remove the cache file created by kinit to revert back to the windows Kerberos cache.删除缓存文件由kinit恢复到windows Kerberos缓存。

Make sure to list确保列表 domain_realmsin the在 krb5.conffile. 文件。This is a major source of problems.这是一个主要的问题。

This documentation assumes you are using Windows but much of the information applies to Unix as well.本文档假设您使用的是Windows,但大部分的信息适用于Unix为好。

The这个 org.ietf.jgssclasses have lots of possible configuration parameters, mainly in the类有很多可能的配置参数,主要是在 krb5.conf/krb5.inifile. 文件。Some more info on the format at一些更多的信息的格式http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/krb5.conf.htmlhttp://web.mit.edu/kerberos/krb5 - 1.4 - / - - - - - - - admin/krb5.conf.html krb5 1.4.1/doc/krb5.

The following configuration is a basic setup that works in Windows XP against both下面的配置是一个基本的设置,在Windows XP对抗双方的工作 IISand和 JBoss Negotiationmodules.模块。

The system property系统属性 java.security.auth.login.configcan be used to point at the可以用来指向 login.conffile.文件。

login.confcontent may look like the following:内容可能看起来如下:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};

com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};

  

If unspecified, the system default will be used. ��果没有指定,默认将使用的系统。Override if needed by setting the system property如果需要覆盖通过设置系统属性 java.security.krb5.confto point to a custom指向一个定制 krb5.conffile.文件。

krb5.confcontent may look like the following:内容可能看起来如下:

[libdefaults]
    default_realm = AD.EXAMPLE.NET
    udp_preference_limit = 1
[realms]
    AD.EXAMPLE.NET = {
        kdc = KDC.AD.EXAMPLE.NET
    }
[domain_realms]
.ad.example.net=AD.EXAMPLE.NET
ad.example.net=AD.EXAMPLE.NET

  

To allow Windows to use the current user's tickets, the system property允许Windows使用当前用户的门票,系统属性 javax.security.auth.useSubjectCredsOnlymust be set to必须设置为 falseand the Windows registry key和Windows的注册表键 allowtgtsessionkeyshould be added and set correctly to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.应该添加和正确设置允许发送会话密钥在Kerberos票据授予票。

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:在Windows Server 2003和Windows 2000 SP4,这里是必需的注册表设置:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

              

Here is the location of the registry setting on Windows XP SP2:下面是注册表设置的位置在Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01