Http安全之基本访问认证

HTTP安全方面的进化史:
Basic Access Authorization;
Digest Access Authoriazation;
SSL
TLS


1、firefox 没携带“用户名+密码”去访问www.jxceo.com        服务器返回: 401    Unauthorized



 
2、firefox 在包头的可选字段Authorization携带“用户名+密码”再次访问www.jxceo.com,但是用户名和密码不对,服务器返回: 401    Unauthorized
(包头的Authorization字段是个可选字段,如果服务端的资源不需要进行认证,则服务端不会去看有没有Authorization信息;如果服务端的资源需要进行认证,则服务端会看该字段,如果该字段没填或填错了,服务端都会返回401 Unauthorized,表示为通过认证。)



 
(思考一个问题:这里的用户名和密码不是明文的方式传递的,那是什么呢? 一种可能是单向加密算法,然后服务端拿正确的用户名和密码也进行单向加密,然后比对两密文。这种方式有两问题,一个是明文到密文的映射关系不一定是一一映射,也就是说两个不同的明文可能被映射到同一个密文/明文碰撞/;另一个情况是黑客并不需要知道明文是什么,只需要捕获到密文。        另一种可能是可逆的加密,比如Base64,那么这种手段对于专业级黑客来讲跟明文毫无区别,只能拦住一些普通用户。因为Base64算法是公开的,而且算法是可逆的。
结论:进行Base64并不是出于安全因素考虑。)


3、wikipedia对Http Basic Auth的解释    (访问权限控制)
http://en.wikipedia.org/wiki/Basic_access_authentication

In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.
(如果服务端的某个url资源被设置成了需要进行Basic Access Auth,那么客户端在进行请求的时,被要求在包头可选字段Authorization携带用户名和密码信息,以便服务端进行验证。)

Before transmission, the username and password are encoded as a sequence of base-64 characters.
(携带的“用户名和密码”信息,在传输前,被进行了Base64编码。也就是用户名和密码不是以明文的形式传输,而是进行了Base64编码。)

For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly".
(客户端进行Base64后,服务端接收到后需要解码,都很快,花不了多少代价。)

package com.eyesmore.art;

import org.apache.commons.codec.binary.Base64;

public class Base64Demo {

	public static void main(String[] args) {

		String userName = "Aladdin";
		String password = "open sesame";
		String authCombination = userName + ":" + password;
		String authBase64 = new String(Base64.encodeBase64(authCombination.getBytes()));
		System.out.println("authCombination = "+authCombination);
		System.out.println("authBase64 = "+authBase64);
		String authRecovery = new String(Base64.decodeBase64(authBase64.getBytes()));
		System.out.println("authRecovery = "+authRecovery);
	}

}
 



Wrongly, people believe that this base-64 encoding is done because of security, to prevent it from being read directly by a person. Encoding is done, instead, to avoid breaking the HTTP protocol data encoding because of bizarre (and more secure) passwords containing special HTTP characters, such as newlines.
(值得纠正的一点是:人们常常误认为之所以进行Base64编码的原因是出于安全因素的考虑,其实是为了防止密码中含有怪异的字符,这些字符和http的协议保留字符冲突,比如换行。)

The basic access authentication was originally defined by RFC 1945 (Hypertext Transfer Protocol – HTTP/1.0) although further information regarding security issues may be found in RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1) and RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication).

4、

你可能感兴趣的:(apache,算法,Security,Access,firefox)