Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge points about how Tomcat is handled internally to complete BASIC application certification. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

1. Authorization request header

Before that, let's take a look at the specific role of Authorization in the request header. The following is the definition of authorization in RFC2616:

A user agent that wishes to authenticate itself with a server--

Usually, but not necessarily, after receiving a 401 response--

Does so by including an Authorization request-header field with the

Request. T

Authorization = "Authorization": "credentials

That is, after receiving the 401 information returned by the server, it is used to transmit the authentication information to the server.

2. BASIC certification

The security authentication methods of HTTP can be implemented in the following ways:

BASIC

FORM

DIGEST

SSL

After entering the user name and password, what is actually passed to Tomcat is something like this:

Basic dG9tY2F0OnRvbWNhdA==

This string, before the space is the current authentication method, and the space is followed by the Base64 encoding of the user name and password. When you write here, everyone should know, oh, the background is directly Base64 decoding. You're right. Here's the thing.

The decoded code is as follows: located in BasicAuthorization.authenticate ()

/ / Validate any credentials already included with this request

MessageBytes authorization =

Request.getCoyoteRequest () .getMimeHeaders ()

.getValue ("authorization"); / / parse the authentication value in the request header

If (authorization! = null) {

Authorization.toBytes ()

ByteChunk authorizationBC = authorization.getByteChunk ()

BasicCredentials credentials = null

Try {

Credentials = new BasicCredentials (authorizationBC); / / where the user name and password are resolved

String username = credentials.getUsername ()

String password = credentials.getPassword ()

/ / enter the Realm authentication according to the obtained data

Principal = context.getRealm () .authenticate (username, password)

If (principal! = null) {

Register (request, response, principal

HttpServletRequest.BASIC_AUTH, username, password)

Return (true)

}

}

Catch (IllegalArgumentException iae) {

If (log.isDebugEnabled ()) {

Log.debug ("Invalid Authorization" + iae.getMessage ())

}

}

} BasicCredentials constructor: / * *

* Parse the HTTP Authorization header for BASIC authentication

* as per RFC 2617 section 2, and the Base64 encoded credentials

* as per RFC 2045 section 6.8.

*

* @ param input The header value to parse in-place

*

* @ throws IllegalArgumentException If the header does not conform

* to RFC 2617

, /

Public BasicCredentials (ByteChunk input)

Throws IllegalArgumentException {

Authorization = input

InitialOffset = input.getOffset ()

ParseMethod ()

Byte [] decoded = parseBase64 ()

ParseCredentials (decoded); / / extract here}

This is the Authorization request header extraction process for Basic. What PostMan does is add the user name and password information to the request header before the request.

If you will open the code and try it after reading this article, Tomcat's Manager app is an example. It is also authenticated through BASIC.

3. Application

How do we configure our general applications to use BASIC authentication?

All you need to do is declare the following snippet in web.xml

BASIC

Tomcat Manager Application

At this point, BASIC authentication is used for the application. But if you try it in a hurry at this time, it will not work. Because you didn't specify which resources to protect!

You also need to declare which resources are protected separately, such as the following configuration snippet

HTML Manager

/ html/*

Manager-gui

The above states the specific protected request path, the corresponding role used, and so on. For more information on configuration, please refer to the Manager application, and we won't talk about it any more.

4. Why

We mentioned above that there are many ways to authenticate HTTP, and Tomcat also has corresponding implementations.

So after configuring BASIC in web.xml, how does it correspond to the specific BASIC authentication code?

In fact, the principle of implementation looks like this:

The authentication methods shown in the above list, corresponding to Tomcat, are implemented in the form of a Valve. Which Valve corresponding to the authentication method is added to each application is achieved by parsing the auth-method configured in the web.xml and determining the specific method.

These are all the contents of this article entitled "how to complete BASIC Application Certification within Tomcat". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.