HTTP Digest Authentication 使用心得

Posted sp42a

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了HTTP Digest Authentication 使用心得相关的知识,希望对你有一定的参考价值。

简介

浏览器弹出这个原生的用户登录对话框,想必大家都不陌生,就是 HTTP Baisc 认证的机制。

这是浏览器自带的,遵循 RFC2617/7617 协议。但必须指出的是,遇到这界面,不一定是 Basic Authentication,也可能是 Digest Authentication。关于浏览器自带的认证,简单说有以下版本:

  • Basic: RFC 2617 (1999) -> RFC 7617 (2015)
  • Digest: RFC 2069 (1997) -> RFC 2617 (1999) -> RFC 7617 (2015)
  • OAuth 1.0 (Twitter, 2007)
  • OAuth 2.0 (2012)/Bearer (OAuth 2.0): RFC 6750 (2012)
  • JSON Web Tokens (JWT): RFC 7519 (2015)

可參照 MDN - HTTP authentication 了解更多。

Basic 为最简单版本(我 13 年有博文《Java Web 实现 HTTP Basic 认证》曾经探讨过),密码就用 Base64 编码一下,安全性低等于裸奔,好处是够简单;今天说的 Digest,不直接使用密码,而是密码的 MD5。虽说不是百分百安全(也不存在百分百)但安全性立马高级很多。

原生实现

试验一个新技术,我最喜欢简单直接无太多封装的原生代码,——就让我们通过经典 Servlet 的例子看看如何实现 Digest Authentication;另外最后针对我自己的框架,提供另外一个封装的版本,仅依赖 Spring 和我自己的一个库。

开门见山,先贴完整代码。

package com;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.digest.DigestUtils;

/**
 * Servlet implementation class TestController
 */
@WebServlet("/foo")
public class TestController extends HttpServlet 
	/**
	 * 用户名,你可以改为你配置的
	 */
	private String userName = "usm";

	/**
	 * 密码,你可以改为你配置的
	 */
	private String password = "password";

	/**
	 * 
	 */
	private String authMethod = "auth";

	/**
	 * 
	 */
	private String realm = "example.com";

	public String nonce;

	private static final long serialVersionUID = 1L;

	/**
	 * 定时器,每分钟刷新 nonce
	 */
	public TestController() 
		nonce = calculateNonce();
		Executors.newScheduledThreadPool(1).scheduleAtFixedRate(() -> 
//			log("刷新 Nonce....");
			nonce = calculateNonce();
		, 1, 1, TimeUnit.MINUTES);
	

	protected void authenticate(HttpServletRequest req, HttpServletResponse resp) 
		resp.setContentType("text/html;charset=UTF-8");

		String requestBody = readRequestBody(req);
		String authHeader = req.getHeader("Authorization");

		try (PrintWriter out = resp.getWriter();) 
			if (isBlank(authHeader)) 
				resp.addHeader("WWW-Authenticate", getAuthenticateHeader());
				resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
			 else 
				if (authHeader.startsWith("Digest")) 
					// parse the values of the Authentication header into a hashmap
					Map<String, String> headerValues = parseHeader(authHeader);
					String method = req.getMethod();
					String ha1 = md5Hex(userName + ":" + realm + ":" + password);
					String ha2;
					String qop = headerValues.get("qop");
					String reqURI = headerValues.get("uri");

					if (!isBlank(qop) && qop.equals("auth-int")) 
						String entityBodyMd5 = md5Hex(requestBody);
						ha2 = md5Hex(method + ":" + reqURI + ":" + entityBodyMd5);
					 else
						ha2 = md5Hex(method + ":" + reqURI);

					String serverResponse;

					if (isBlank(qop))
						serverResponse = md5Hex(ha1 + ":" + nonce + ":" + ha2);
					else 
//						String domain = headerValues.get("realm");
						String nonceCount = headerValues.get("nc");
						String clientNonce = headerValues.get("cnonce");

						serverResponse = md5Hex(ha1 + ":" + nonce + ":" + nonceCount + ":" + clientNonce + ":" + qop + ":" + ha2);
					

					String clientResponse = headerValues.get("response");

					if (!serverResponse.equals(clientResponse)) 
						resp.addHeader("WWW-Authenticate", getAuthenticateHeader());
						resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
					
				 else
					resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, " This Servlet only supports Digest Authorization");
			

			out.println("<head>");
			out.println("<title>Servlet HttpDigestAuth</title>");
			out.println("</head>");
			out.println("<body>");
			out.println("<h1>已通过 HttpDigestAuth 认证 at" + req.getContextPath() + "</h1>");
			out.println("</body>");
			out.println("</html>");
		 catch (IOException e) 
			e.printStackTrace();
		
	

	private static String md5Hex(String string) 
		return DigestUtils.md5Hex(string);

//		try 
//			MessageDigest md = MessageDigest.getInstance("MD5");
//			md.update(password.getBytes());
//			byte[] digest = md.digest();
//
//			return DatatypeConverter.printHexBinary(digest).toUpperCase();
//		 catch (NoSuchAlgorithmException e) 
//			e.printStackTrace();
//		

//		return null;
	

	/**
	* Handles the HTTP
	* <code>GET</code> method.
	*
	* @param request servlet request
	* @param response servlet response
	* @throws ServletException if a servlet-specific error occurs
	* @throws IOException if an I/O error occurs
	*/
	@Override
	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
		authenticate(request, response);
	

	/**
	 * Handles the HTTP
	 * <code>POST</code> method.
	 *
	 * @param request servlet request
	 * @param response servlet response
	 * @throws ServletException if a servlet-specific error occurs
	 * @throws IOException if an I/O error occurs
	 */
	@Override
	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
		authenticate(request, response);
	

	/**
	* Returns a short description of the servlet.
	*
	* @return a String containing servlet description
	*/
	@Override
	public String getServletInfo() 
		return "This Servlet Implements The HTTP Digest Auth as per RFC2617";
	

	/**
	 * 解析 Authorization 头,将其转换为一个 Map
	 * Gets the Authorization header string minus the "AuthType" and returns a
	 * hashMap of keys and values
	 *
	 * @param header
	 * @return
	 */
	private static Map<String, String> parseHeader(String header) 
		// seperte out the part of the string which tells you which Auth scheme is it
		String headerWithoutScheme = header.substring(header.indexOf(" ") + 1).trim();
		String keyValue[] = headerWithoutScheme.split(",");
		Map<String, String> values = new HashMap<>();

		for (String keyval : keyValue) 
			if (keyval.contains("=")) 
				String key = keyval.substring(0, keyval.indexOf("="));
				String value = keyval.substring(keyval.indexOf("=") + 1);
				values.put(key.trim(), value.replaceAll("\\"", "").trim());
			
		

		return values;
	

	/**
	 * 生成认证的 HTTP 头
	 * 
	 * @return
	 */
	private String getAuthenticateHeader() 
		String header = "";

		header += "Digest realm=\\"" + realm + "\\",";
		if (!isBlank(authMethod))
			header += "qop=" + authMethod + ",";

		header += "nonce=\\"" + nonce + "\\",";
		header += "opaque=\\"" + getOpaque(realm, nonce) + "\\"";

		return header;
	

	private boolean isBlank(String str) 
		return str == null || "".equals(str);
	

	/**
	 * 根据时间和随机数生成 nonce
	 * 
	 * Calculate the nonce based on current time-stamp upto the second, and a random seed
	 *
	 * @return
	 */
	public String calculateNonce() 
		Date d = new Date();
		String fmtDate = new SimpleDateFormat("yyyy:MM:dd:hh:mm:ss").format(d);
		Integer randomInt = new Random(100000).nextInt();

		return md5Hex(fmtDate + randomInt.toString());
	

	/**
	 * 域名跟 nonce 的 md5 = Opaque
	 * 
	 * @param domain
	 * @param nonce
	 * @return
	 */
	private static String getOpaque(String domain, String nonce) 
		return md5Hex(domain + nonce);
	

	/**
	 * 返回请求体
	 * 
	 * Returns the request body as String
	 *
	 * @param request
	 * @return
	 */
	private String readRequestBody(HttpServletRequest request) 
		StringBuilder sb = new StringBuilder();

		try (InputStream inputStream = request.getInputStream();) 
			if (inputStream != null) 
				try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));) 
					char[] charBuffer = new char[128];
					int bytesRead = -1;
					while ((bytesRead = bufferedReader.read(charBuffer)) > 0) 
						sb.append(charBuffer, 0, bytesRead);
					
				
			 else
				sb.append("");
		 catch (IOException e) 
			e.printStackTrace();
		

		return sb.toString();
	

注意 MD5 部分依赖了这个:

<dependency>
	<groupId>commons-codec</groupId>
	<artifactId>commons-codec</artifactId>
	<version>1.14</version>
</dependency>

这是源自老外的代码,是一个标准 Servlet,但我觉得是 Filter 更合理,而且没有定义如何鉴权通过后的操作(当前只是显示一段文本),有时间的话我再改改。

封装一下

结合自己的库封装一下。

package com;

import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.util.DigestUtils;

import com.ajaxjs.util.SetTimeout;
import com.ajaxjs.util.io.StreamHelper;

/**
 * Servlet implementation class TestController
 */
@WebServlet("/bar")
public class TestController2 extends HttpServlet 
	/**
	 * 用户名,你可以改为你配置的
	 */
	private String userName = "usm";

	/**
	 * 密码,你可以改为你配置的
	 */
	private String password = "password";

	/**
	 * 
	 */
	private String authMethod = "auth";

	/**
	 * 
	 */
	private String realm = "example.com";

	public String nonce;

	private static final long serialVersionUID = 1L;

	/**
	 * 定时器,每分钟刷新 nonce
	 */
	public TestController2() 
		nonce = calculateNonce();

		SetTimeout.timeout(() -> 
//			log("刷新 Nonce....");
			nonce = calculateNonce();
		, 1, 1);
	

	protected void authenticate(HttpServletRequest req, HttpServletResponse resp) 
		resp.setContentType("text/html;charset=UTF-8");
		String authHeader = req.getHeader("Authorization");

		try (PrintWriter out = resp.getWriter();) 
			if (isBlank(authHeader)) 
				resp.addHeader("WWW-Authenticate", getAuthenticateHeader());
				resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
			 else 
				if (authHeader.startsWith("Digest")) 
					// parse the values of the Authentication header into a hashmap
					Map<String, String> headerValues = parseHeader(authHeader);
					String method = req.getMethod();
					String ha1 = md5Hex(userName + ":" + realm + ":" + password);
					String ha2;
					String qop = headerValues.get("qop");
					String reqURI = headerValues.get("uri");

					if (!isBlank(qop) &&am

以上是关于HTTP Digest Authentication 使用心得的主要内容,如果未能解决你的问题,请参考以下文章

http协议之digest(摘要)认证,详细讲解并附Java SpringBoot源码

Symfony http_digest 键是啥?

android中的Restlet HTTP_DIGEST授权

使用 net-http-digest_auth 的未知算法 MD5

http 登录Digest认证相关知识

在 authenticate_or_request_with_http_digest 中获取密码