References- About WWW-Authenticate, Authorization header
http://www.tohoho-web.com/ex/http.htm#WWW-Authenticate
http://www.tohoho-web.com/ex/http.htm#Authorization - Basic Authentificator Sample written in Java
http://www.katch.ne.jp/~h-inoue/tips/javaservlet/0001.html - About Digest Authorization(Japanese)
https://www.codeblog.org/blog/inoue/20060227.html
http://shain.tomocreative.net/2007/03/phpdigest.html(for PHP) - MD5, Base64 useful Library
ostermiller utility, http://ostermiller.org/
Customization Example
/*
Created by Tatsuya Anno
Sample implementation of Basic Authorization Logic in JavaServlet manually.
*/
String authorizationMethod="Basic";
String wwwAuthenticateValue="BASIC realm=\"Basic Auth Test\"";
//check authorization header
//Get Authorization Header information
//Authorization header is encoded in Http Header based on following format.
//"BASIC [Username]:[Password]", value of [Username]:[Password] is encoded by Base64.
//Sample value of authorization header is "Basic YW50YXRzdTp0ZXN".
String authorization=request.getHeader("Authorization");
if(authorization==null||authorization.equals("")){
//if there is no Authorization Header, return SC_UNAUTHORIZED status.
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
else{
if(!authorization.startsWith(authorizationMethod)){
//If there is unexpected authorization header, return SC_UNAUTHORIZED status.
//If we use basic auth logic, the vlaue of authorization header starts with "Basic".
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
return null;
}
//Remove "BASIC" characters from the value of Authorization Header
//before decoding base64 value to Username:Password value.
String encodedHeader=authorization.substring(6);
//decode BASE64 characters
//base64 decoder by using sun.misc.BASE64Decoder
//but sun.misc.BASE64Decoder class is not public.
//(Please refer to http://www.source-code.biz/snippets/java/2.htm)
//sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
//byte[] decodedBytes = decoder.decodeBuffer(encodedHeader);
//----
//I changed the base64 utility from sun.misc.BASE64Decoder to ostermiller utility.
//decode base64 encoded characters by using Ostermiller Utility.
//Please refer to the http://ostermiller.org/
byte[] decodedBytes=com.Ostermiller.util.Base64.decodeToBytes(encodedHeader);
if(decodedBytes==null){
//If the decoded byte values is null, return UNAUTHORIZED status
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
//create new string based on the byte values decoded from base64
String decodedAuthHeader=new String(decodedBytes);
if(decodedAuthHeader==null||decodedAuthHeader.equals("")){
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
//get username and password from decoded string object.
//split decoded string which is separated by ":".
String[] authTokens=decodedAuthHeader.split(":");
if(authTokens.length<2){
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
//If system fails to Split string, return SC_UNAUTHORIZED status because of unexpected.
if(authTokens[0]==null||authTokens[0].equals("")){
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
//check the values of username and password, following is a sample logic.
if(!authTokens[0].equalsIgnoreCase("auth_test")||!authTokens[1].equals("12345"))
{
//if fails to check username and password, return SC_UNAUTHORIZED status
response.setHeader("WWW-Authenticate",wwwAuthenticateValue);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
}
//end of manual basic authorization
0 件のコメント:
コメントを投稿