使用HttpURLConnection在Android中进行摘要式身份验证 [英] Digest authentication in Android using HttpURLConnection

问题描述

正如问题所说的那样，我正在尝试在android中进行摘要式身份验证。

到目前为止我已经使用了 DefaultHttpClient 并且它的身份验证方法（使用 UsernamePasswordCredentials 等），但自Android 5以来已弃用，将在Android 6中删除。

所以我即将从 DefaultHttpClient 到 HttpUrlConnection 。

现在我正在尝试实现摘要认证，哪个应该可以正常工作简单如此处所述：

as the question allready says, I am trying to do digest authentication in android.
Until now i have used the DefaultHttpClient and it's authentication method (using UsernamePasswordCredentials and so on), but it is deprecated since Android 5 and will be removed in Android 6.
So i am about to switch from DefaultHttpClient to HttpUrlConnection.
Now i am trying to achieve digest authentication, which should work pretty simple as explained here:

Authenticator.setDefault(new Authenticator() {
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication(username, password);
    }
});

但从未调用 getPasswordAuthentication 原因。
在我搜索这个问题的过程中，我找到了不同的帖子，说在android中的 HttpUrlConnection 不支持摘要认证，但这些帖子来自2010-2012，所以我不确定这是否仍然如此。此外，我们在桌面java应用程序中使用 HttpUrlConnection 进行摘要式身份验证，它可以正常工作。

But the getPasswordAuthentication gets never called for some reason.
During my search for this problem i found different posts, saying digest authentication is not supported by the HttpUrlConnection in android, but those posts are from 2010-2012, so i am not sure if this is still true. Also we are using HttpUrlConnection with digest authentication in our desktop java application, where it does work.

我也找到了一些帖子，谈论 OkHttp 。 OkHttp 似乎被Android引用（更具体地说是 HttpUrlConnectionImpl ）。但是这个 HttpUrlConnectionImpl 有点奇怪，它甚至没有在Eclipse类型层次结构中显示，我无法调试它。它也应该是 com.squareup.okhttp.internal.huc.HttpUrlConnectionImpl ，而在android中它是一个 com.android.okhttp.internal。 http.HttpUrlConnectionImpl 。

I also found some posts, talking about OkHttp. OkHttp seems to be used by Android under the hood (to be more specific the HttpUrlConnectionImpl). But this HttpUrlConnectionImpl is a bit strange, it is not even shown in the Eclipse type hierarchy and i am not able to debug it. Also it should be a com.squareup.okhttp.internal.huc.HttpUrlConnectionImpl, while in android it is a com.android.okhttp.internal.http.HttpUrlConnectionImpl.

所以我只是不能用android中的 HttpUrlConnection 进行摘要认证。

没有外部库可以告诉我怎么做吗？

So i am just not able to do digest authentication with this HttpUrlConnection in android.
Can anyone tell me how to do that without external libraries?

编辑：

服务器请求摘要认证：

The server asks for digest authentication:

WWW-Authenticate: Digest realm="Realm Name",domain="/domain",nonce="nonce",algorithm=MD5,qop="auth"

所以Basic-Authentication不应该工作，因为服务器是要求摘要。

So Basic-Authentication shouldn' work, as the server is asking for digest.

推荐答案

答案是， HttpUrlConnection 不会支持摘要。

The answer is, that HttpUrlConnection does not support digest.

因此，您必须实施 RFC2617 自己。

You therefore have to implement RFC2617 by yourself.

您可以使用以下代码作为基线实现：针对Android的HTTP摘要验证。

You can use the following code as a baseline implementation: HTTP Digest Auth for Android.

ps涉及（参见 RFC2617 以供参考）：

The steps involve (see RFC2617 for reference):

• 如果您收到401回复，请遍历所有 WWW-Authenticate 标题并解析它们：
  
  
  
  
  • 检查算法是MD5还是未定义，（可选择 auth qop选项），否则忽略挑战并转到下一个标题。
  
  
  • 使用 Authenticator.requestPasswordAuthentication 获取凭据。
  
  
  • 使用以下方法计算H（A1）用户名，领域和密码。
  
  
  • 存储规范的根URL，域，HA1，用户名，nonce（+可选算法，opaque和客户端选择的qop选项，如果存在）。
  
  
  • 重试请求。
  
  
  • If you get a 401 response, iterate over all WWW-Authenticate headers and parse them:
    • Check if algorithm is MD5 or undefined, (optionally select the auth qop option), otherwise ignore the challenge and go to the next header.
    • Get the credentials using Authenticator.requestPasswordAuthentication.
    • Calculate H(A1) using the username, realm and password.
    • Store the canonical root URL, realm, HA1, username, nonce (+ optionally algorithm, opaque and the client selected qop option if present).
    • Retry the request.
    
    
    • 使用请求方法和路径计算H（A2）。
    
    
    • 计算H（ A3）使用HA1，nonce（+可选nc，cnonce，qop）和HA2。
    
    
    • 构建并将授权标头添加到您的 HttpUrlConnection 。
    
    
    • Calculate H(A2) using the request method and path.
    • Calculate H(A3) using HA1, nonce (+ optionally nc, cnonce, qop) and HA2.
    • Build and add the Authorization header to your HttpUrlConnection.

    通过使用 Authenticator ，您可以确保，只要 HttpUrlConnection 原生支持摘要，你的代码不再被使用了（因为你不会在第一时间收到401）。

    By using Authenticator, you can make sure, that as soon as HttpUrlConnection supports digest natively, your code is not being used anymore (because you wont receive the 401 in the first place).

    这只是关于如何实现它的快速摘要，供您了解。

    This is just a quick summary on how to implement it, for you to get an idea.

    如果您想要更进一步，您可能也希望实现SHA256： RFC7616

    If you want to go further you would probably like to implement SHA256 as well: RFC7616

    这篇关于使用HttpURLConnection在Android中进行摘要式身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！