当前位置: 文江博客话题详情

HTTP 身份验证解码的开源 Java 服务器端实现

发布于 2024-08-08 19:27:25 字数 316 浏览 3 评论 0原文

我需要在 servlet 应用程序中执行 HTTP 身份验证逻辑,而不是将此任务委托给容器。

具体来说,我需要一种方法来获取包含 HTTP 身份验证标头的 HttpServletRequest 标头,并将它们解码为表示所提供凭据的数据结构,然后应用程序可以处理该数据结构。应该支持基本身份验证和摘要身份验证。

我可以用手写这个,这不会太麻烦,RFC 都有详细的文档记录,但我很想使用现成的库来为我做这件事。

我的第一个想法是 Spring Security,但据我所知,这个任务委托给了容器(我对此有点不清楚,这是一个复杂的代码库)。

有人知道其他人吗?

原文

I have a requirement to perform HTTP authentication logic within a servlet application, rather than delegating this task to the container.

Specifically, I need a way of taking the headers of an HttpServletRequest which contains HTTP auth headers, and having them decoded into a data structure representing the supplied credentials, which the application can then process. Both basic and digest auth should be supported.

I could write this by hand, it wouldn't be too much of a chore, the RFCs are all well documented, but I'd quite like to use an off-the shelf library to do it for me.

My first thought was Spring Security, but from what I can tell this delegates this task to the container (I'm a bit unclear on that, it's a complicated code base).

Anyone know of any others?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

画▽骨i 2024-08-15 19:27:25
  • 对于 BASIC,它非常容易实现 - 只需读取标头,对其进行 base64 解码,然后将其拆分为“:”字符。您还可以使用 Spring 的 BasicProcessingFilter,并提供 AuthenticationManager
  • 使用摘要,您无法从请求中获取密码(这就是重点......)。即使协议有详细记录,实现所有细节也不是一项简单的任务。因此我会选择 Spring 的 摘要处理过滤器。在这种情况下,您需要提供 UserDetailsS​​ervice 根据用户名(用于摘要)提供用户密码。
  • For BASIC, it is very easy to implement - just read the header, base64 decode it and split it on the ':' character. You can also use use Spring's BasicProcessingFilter, and supply your instance of AuthenticationManager.
  • With Digest, you cannot get the password from the request (that's the whole point...). Implementing all the details is not a trivial task, even thought the protocol is well documented. Therefore I'd go with Spring's DigestProcessingFilter. In this case you need to supply the UserDetailsService who provides the user's password based on the username (for the digest).
回复 原文
゛清羽墨安 2024-08-15 19:27:25

这是我的解码器:

public static String[] decodeBasicAuth(String authorization) {
    if (authorization == null)
        throw new RuntimeException("Invalid Authorization String.");
    if (authorization.length() < 9)
        throw new RuntimeException("Invalid Authorization String.");
    if (authorization.length() > 64)
        throw new RuntimeException("Invalid Authorization String.");
    String s[] = authorization.split("\\s", 3);
    if (s.length < 2)
        throw new RuntimeException("Invalid Authorization String.");
    for (int i = 0; i < s.length; i++) {
        String part = s[i];
        if (part.compareTo("Basic") == 0) {
            String userPassBase64 = s[i + 1];
            if (!userPassBase64.isEmpty()) {
                String userPass = null;
                try {
                    userPass = new String(DatatypeConverter.parseBase64Binary(userPassBase64));
                } catch (RuntimeException e) {
                    throw new RuntimeException("Authorization cannot be decoded.", e);
                }
                String userPassArray[] = userPass.split(":");
                if (userPassArray.length == 2) {
                    return userPassArray;
                } else {
                    throw new RuntimeException("Invalid Authorization String.");
                }
            } else {
                throw new RuntimeException("Invalid Authorization String.");
            }
        }
    }
    throw new RuntimeException("Authorization cannot be decoded.");
}

Here is my decoder:

public static String[] decodeBasicAuth(String authorization) {
    if (authorization == null)
        throw new RuntimeException("Invalid Authorization String.");
    if (authorization.length() < 9)
        throw new RuntimeException("Invalid Authorization String.");
    if (authorization.length() > 64)
        throw new RuntimeException("Invalid Authorization String.");
    String s[] = authorization.split("\\s", 3);
    if (s.length < 2)
        throw new RuntimeException("Invalid Authorization String.");
    for (int i = 0; i < s.length; i++) {
        String part = s[i];
        if (part.compareTo("Basic") == 0) {
            String userPassBase64 = s[i + 1];
            if (!userPassBase64.isEmpty()) {
                String userPass = null;
                try {
                    userPass = new String(DatatypeConverter.parseBase64Binary(userPassBase64));
                } catch (RuntimeException e) {
                    throw new RuntimeException("Authorization cannot be decoded.", e);
                }
                String userPassArray[] = userPass.split(":");
                if (userPassArray.length == 2) {
                    return userPassArray;
                } else {
                    throw new RuntimeException("Invalid Authorization String.");
                }
            } else {
                throw new RuntimeException("Invalid Authorization String.");
            }
        }
    }
    throw new RuntimeException("Authorization cannot be decoded.");
}
回复 原文
情释 2024-08-15 19:27:25

我不知道有什么框架,但除非您使用 BASIC 身份验证,否则您可能无法获取用户的密码。

如果您使用 BASIC 身份验证,则对 Authentication 标头进行 Base64Decode 非常简单。

I don't know of a framework off hand, but unless you're using BASIC authentication, you might not be able to get the password for the user.

If you are using BASIC authentication, it's pretty trivial to Base64Decode the Authentication header.

回复 原文
~没有更多了~

关于作者

温柔嚣张

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

離殇

文章 0 评论 0

小姐丶请自重

文章 0 评论 0

Aik

文章 0 评论 0

国产ˉ祖宗

文章 0 评论 0

猥琐帝

文章 0 评论 0

半仙

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文