Basic overview
The HTTP protocol provides authentication mechanisms to protect resources. When a request is made for a protected resource, the web server responds with a 401 Unauthorized error error code. This response contains a WWW-Authenticate header specifying the authentication method and Realm.
Basic certification basic process
1. The client requests data from the server, and the requested data requires authentication to be viewed, and the client has not been authenticated yet.
2. The visited page requires authentication, and the client will pop up an authentication window.
Before the authentication window is closed, the browser state is always: pending waiting for user input.
Click x or cancel, a 401 status code will appear, and the response content is as follows.
There is a sentence in the response header:
WWW-Authorization: Basic realm="Authentication required"
Indicates that authentication is required. The default prompt information is: Authentication required
The WWW-Authorization prompt content can be configured, such as:
<login-config>
<!-- Authentication method, BASIC authentication-->
<auth-method>BASIC</auth-method>
<realm-name>not login yet</realm-name>
</login-config>
Respond at this time
3, Refresh the page, enter the correct username and password, and you will enter our project. Suppose, our test.jsp page content:
<%@page import="org.apache.tomcat.util.codec.binary.Base64"%>
<%@page language="java" import="java.util.*" %>
<%
Enumeration headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = (String) headerNames.nextElement();
String headerValue = request.getHeader(headerName);
out.println(headerName + ": " + headerValue + "<br/>");
}
out.println("<hr/>");
String authHeader = request.getHeader("authorization");
String encodedValue = authHeader.split(" ")[1];
out.println(new String(Base64.decodeBase64(encodedValue)));
%>
The page displays the result:
Username and password transmission method
The username and password are combined with a colon ":", and the combined string is encoded with BASE64. Each time a request is made, the encoded string is attached to the request header. The server receives the string, decodes it, and performs authentication.
The core of Basic authentication is to respond to the 401 status code, informing the browser that the user needs to enter the user name and password, and then the background is decoded and authenticated according to Base64.
Enable Basic authentication, web.xml configuration
<!-- The following is the Basic authentication configuration-->
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Which addresses need authentication, /* indicates that any address in this project needs authentication -->
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<!-- Authentication method, BASIC authentication-->
<auth-method>BASIC</auth-method>
<realm-name>not login yet</realm-name>
</login-config>
<!-- Basic authentication configuration end-->
Configuration instructions
<security-constraint>: This element restricts access to one or more resources and can appear multiple times in the configuration information ,
<security-constraint> contains the following elements:
<web-resource-collection>: This element is used to identify the resources you want to restrict access to.
You can define URL patterns and HTTP methods (use the <http-method> element to define HTTP methods).
If no HTTP method is defined, the restriction applies to all methods.
<auth-constraint>: This element has user roles that can access the restricted resources defined above
<login-config>: This element is used to specify the authentication method. It contains the following elements:
<auth-method>: Specifies the authentication method. Its value may be one of the following sets of values: BASIC (basic authentication), DIGEST (digest authentication), FORM (form-based authentication), or CLIENT-CERT (client certificate authentication).
<realm-name>: A description in the WWW-Authenticate header if the BASIC method is used for authentication.
All common web servers support Basic authentication. To enable Basic authentication in Tomcat, you need to modify tomcat-users.xml
<tomcat-users version="1.0" xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"> <role rolename="tomcat"/> <role rolename="manager"/> <user username="tomcat" password="123456" roles="tomcat"/> <user username="both" password="123456" roles="tomcat,manager"/> <user username="manager" password="123456" roles="manager"/> </tomcat-users>
Disadvantages of Basic Authentication
The goal of HTTP basic authentication is to provide a simple user authentication function. The authentication process is simple and clear. It is suitable for systems or devices that do not require high security. For example, the authentication of the configuration page of the router that everyone uses, almost all adopt this method. . The disadvantage is that there is no flexible and reliable authentication strategy. In addition, the encryption strength of BASE64 is very low, which can be seen directly in the request header, which is almost equivalent to plaintext.