Home » Java » Authentication in the application of JavaWeb (prog...

Authentication in the application of JavaWeb (programming) - the realization of BASIC authentication

read this before, please see the authentication JavaWeb application (declarative) - identity authentication based on


statement has brought a lot of benefits for many developers, one developer does not have to add any security code in JSP or servlet, the sole responsibility of the vessel. However, because of the convenience, it needs to pay a certain price: it needs a server specific component, set the username, password the role and method is not standard, it is not easy to transplant to other servers, so sometimes we need safety by programming just for servlet or JSP page using the username and password mechanism, and be independent of the container.

servlet in the doGet method of the related page,

in the method

(1) checks whether the Authorization requests headers, without skipping to the fifth step

String authorization = request.getHeader ("Authorization");
If (authorization = null)
AskForPassword (response)

(2) gets the encrypted user name and password string (Format: Authorization:Basic encodeDate);

String userInfo = authorization.subString (6).Trim (); 

(3) converts the user name / password Base64 in the

Base64Decoder decoder = new, BaseDecoder ();
String nameandpassword = new String (decoder.decodeBuffer (userInfo));
Int index = nameandpassword.indexOf (":");
String user=nameandpassword.substring (0, index);
String password = nameandpassword.substring (index+1);

(4) validates the user name and password, and calls the database to determine the

(5) if the authentication fails, a specific response is returned to the client

response.setStatus (HttpServletResponse.SC_UNAUTHORIZED); //HTTP 401
Response.setHeader ("WWW-Authenticate", "BASIC, realm=", "Insider-Trading");