检查HTTP 的 Basic认证. since http1.0
代码如下所示:
<%@ page pageEncoding="UTF-8" contentType="text/html;charset=UTF-8" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%@ page import="java.io.IOException" %>
<%!
// 检查HTTP 的 Basic认证. since http1.0
public static boolean checkAuth(HttpServletRequest request, String id, String pwd){
boolean authOK = false;
// 认证后每次HTTP请求都会附带上 Authorization 头信息
String Authorization = request.getHeader("Authorization");
if(null == Authorization || Authorization.trim().isEmpty()){
// 需要认证
return authOK;
}
//
String[] basicArray = Authorization.split("\\s+");
if(null == basicArray || 2 != basicArray.length){
return authOK;
}
//
String basic = basicArray[0];
String base64 = basicArray[1];
//
try {
byte[] buf = new BASE64Decoder().decodeBuffer(base64);
String idpass = new String(buf, "UTF-8");
if(null == idpass || idpass.trim().isEmpty()){
// 需要认证
return authOK;
}
//
String[] idpassArray = idpass.split(":");
if(null == idpassArray || 2 != idpassArray.length){
return authOK;
}
String _id = idpassArray[0];
String _pass = idpassArray[1];
//
if(id.equalsIgnoreCase(_id) && pwd.equalsIgnoreCase(_pass)){
authOK = true;// 认证成功
}
} catch (IOException e) {
e.printStackTrace();
}
//
return authOK;
}
// 不依赖 this 状态的方法,其实都应该设置为 static
public static void requireAuth(HttpServletResponse response, String msg){
// 发送状态码 401, 不能使用 sendError,坑
response.setStatus(401,"Authentication Required");
// 发送要求输入认证信息,则浏览器会弹出输入框
response.addHeader("WWW-Authenticate","Basic realm="+ msg);
return;
}
%>
<%
//
String Authorization = request.getHeader("Authorization");
//
String userid = "admin";
String pwd = "11111111";
boolean authOK = checkAuth(request, userid, pwd);
//
if (!authOK) {
// 如果认证失败,则要求认证
requireAuth(response, "R U OK,小米");
return;
}
%>
<html>
<head>
<title>R U OK?</title>
</head>
<body>
R U OK? <%=userid %>. Your Password is <%="********"%>
</body>
</html>
请参考代码中的注释,具体信息,还可以参考《图解HTTP》。我看着这本书中的HTTP-Basic认证手痒,就写了这么一个demo代码。