问题描述
我正在尝试在 Java 中使用 SHA-256 算法实现基于摘要式身份验证的登录,但没有得到太多帮助。我可以使用 POSTMAN 登录并获取 HTTP 状态代码 200,但不确定 POSTMAN 是如何使用 SHA-256 的,Postman 请求配置快照和下面的我的实现,这会引发 SSLHandshakeException。
这是我的代码,我使用它导致握手失败:
import java.util.Arrays;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.http.*;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.*;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.auth.DigestScheme;
import org.apache.http.impl.client.*;
import junit.framework.Assert;
public class DigestTest {
private static final String URL = "https://10.0.1.190/API/Web/Login";
private static final String USER = "admin";
private static final String PASSWORD = "testing123456";
public static void main(String[] args) throws Exception {
new Digesttest().run();
}
public void run() throws Exception {
System.setProperty("https.protocols","TLSv1.2,TLSv1.1,SSLv3");
HttpPost httpPost = new HttpPost(URL);
HttpHost target
= new HttpHost(httpPost.getURI().getHost(),443,"https");
CredentialsProvider credsProvider = new BasicCredentialsProvider();
UsernamePasswordCredentials credentials
= new UsernamePasswordCredentials(USER,PASSWORD);
credsProvider.setCredentials(
new AuthScope(target.getHostName(),target.getPort()),credentials);
CookieStore cookieStore = new BasicCookieStore();
CloseableHttpClient httpclient
= HttpClients.custom().setDefaultCookieStore(cookieStore)
.setDefaultCredentialsProvider(credsProvider).build();
try {
DigestScheme digestAuth = new DigestScheme();
digestAuth.overrideParamter("qop","auth");
digestAuth.overrideParamter("nc","0");
digestAuth.overrideParamter("cnonce",DigestScheme.createCnonce());
digestAuth.overrideParamter("algorithm","SHA-256");
AuthCache authCache = new BasicAuthCache();
authCache.put(target,digestAuth);
HttpClientContext localContext = HttpClientContext.create();
localContext.setAuthCache(authCache);
CloseableHttpResponse response;
response = httpclient.execute(target,httpPost,localContext);
Map<String,String> wwwAuth = Arrays
.stream(response.getHeaders("WWW-Authenticate")[0]
.getElements())
.collect(Collectors.toMap(HeaderElement::getName,HeaderElement::getValue));
// the first call ALWAYS fails with a 401
// Assert.assertEquals(response.getStatusLine().getStatusCode(),401);
digestAuth.overrideParamter("opaque",wwwAuth.get("opaque"));
digestAuth.overrideParamter("nonce",wwwAuth.get("nonce"));
digestAuth.overrideParamter("realm",wwwAuth.get("Digest realm"));
Header authenticate = digestAuth.authenticate(credentials,localContext);
httpPost.addHeader(authenticate);
response = httpclient.execute(target,localContext);
// the 2nd call is the real deal
// Assert.assertEquals(response.getStatusLine().getStatusCode(),200);
//System.out.println(IoUtils
// .toString(response.getEntity().getContent(),"utf-8"));
System.out.println(response.getEntity().getContent().toString());
} catch(Exception e){
System.out.println("Exception : \n"+e);
} finally {
httpclient.close();
}
}
}
我收到以下异常:
异常: javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
解决方法
在邮递员中,您可以将您的请求导出为代码片段(请参阅https://learning.postman.com/docs/sending-requests/generate-code-snippets/ 操作方法)。
在您的情况下,使用 OkHttp
客户端的 java 代码段将是:
OkHttpClient client = new OkHttpClient().newBuilder()
.build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType,"{}");
Request request = new Request.Builder()
.url("https://test.it/uri")
.method("POST",body)
.addHeader("Authorization","Digest username=\"username\",realm=\"test\",nonce=\"nonce\",uri=\"/uri\",algorithm=\"SHA-256\",response=\"6d46e1187d1e79c88241d4ae0e57eda1cd572dfb027ce9eded02aea499f15695\""
)
.addHeader("Content-Type","text/plain")
.build();
Response response = client.newCall(request).execute();
(请注意,您需要将 username
、realm
、nonce
和 uri
替换为您的实际值。)。 >
要计算 response
值,您可以在 https://en.wikipedia.org/wiki/Digest_access_authentication 中查看公式(用于 MD5)。
在上面的代码中,使用 SHA256 而不是 MD5 的计算如下:
HA1 = SHA256(username:realm:password) = SHA256(username:test:password) = 338c3ad443d25c378fdcdb90df9f81d42161278b8f1f03276a2d14f0803165f2
HA2 = SHA256(method:digestURI) = SHA256(POST:/uri) = fc51c21830fc2b6ffe97afe3290df89e7c2b1e287d6e373ad4282ce7fe912650
response = SHA256(HA1:nonce:HA2) = SHA256(338c3ad443d25c378fdcdb90df9f81d42161278b8f1f03276a2d14f0803165f2:nonce:fc51c21830fc2b6ffe97afe3290df89e7c2b1e287d6e373ad4282ce7fe912650)
= 6d46e1187d1e79c88241d4ae0e57eda1cd572dfb027ce9eded02aea499f15695