使用 Java 和 Apache 客户端进行摘要式身份验证：始终 401 Unauthorized答案

【问题标题】：Digest auth with Java & Apache client : Always 401 Unauthorized使用 Java 和 Apache 客户端进行摘要式身份验证：始终 401 Unauthorized
【发布时间】：2015-02-02 04:53:22
【问题描述】：

我正在尝试使用 HTTP 客户端实现摘要身份验证，但这目前不起作用。

有人可以检查此代码是否正确吗？出于测试目的，我使用http://httpbin.org/，但我得到的只是HTTP/1.1 401 Unauthorized。

示例代码如下：

private static void doDigestAuth() throws ClientProtocolException,
    IOException,
    AuthenticationException,
    MalformedChallengeException
{

    HttpHost target = new HttpHost("httpbin.org", 80, "http");
    CredentialsProvider credsProvider = new BasicCredentialsProvider();
    credsProvider.setCredentials(new AuthScope(target.getHostName(), target.getPort()), new UsernamePasswordCredentials(
        "user", "passwd"));
    CloseableHttpClient httpclient = HttpClients.custom().setDefaultCredentialsProvider(credsProvider).build();
    try {

        HttpGet httpget = new HttpGet("http://httpbin.org/digest-auth/auth/user/passwd");

        // Create AuthCache instance
        AuthCache authCache = new BasicAuthCache();
        // Generate DIGEST scheme object, initialize it and add it to the local
        // auth cache
        DigestScheme digestAuth = new DigestScheme();

        // Suppose we already know the realm name
        digestAuth.overrideParamter("realm", "me@kennethreitz.com");
        // // Suppose we already know the expected nonce value
        // digestAuth.overrideParamter("nonce", Long.toString(new SecureRandom().nextLong(), 36));
        // qop-value = "auth" | "auth-int" | token
        digestAuth.overrideParamter("qop", "auth");
        authCache.put(target, digestAuth);

        // Add AuthCache to the execution context
        HttpClientContext context = HttpClientContext.create();
        context.setCredentialsProvider(credsProvider);
        // context.setAuthSchemeRegistry(authRegistry);
        context.setAuthCache(authCache);

        System.out.println("Executing request " + httpget.getRequestLine() + " to target " + target);
        for (int i = 0; i < 3; i++) {
            CloseableHttpResponse response = httpclient.execute(httpget, context);
            try {
                System.out.println("----------------------------------------");
                System.out.println(response.getStatusLine());
                HttpEntity entity = response.getEntity();
                InputStream instream = entity.getContent();
                // Header contentCncoding = entity .getContentEncoding();
                String contentString = IOUtils.toString(instream, null);
                System.out.println("ContentString:" + contentString);
                AuthState proxyAuthState = context.getProxyAuthState();
                System.out.println("Proxy auth state: " + proxyAuthState.getState());
                System.out.println("Proxy auth scheme: " + proxyAuthState.getAuthScheme());
                System.out.println("Proxy auth credentials: " + proxyAuthState.getCredentials());
                AuthState targetAuthState = context.getTargetAuthState();
                System.out.println("Target auth state: " + targetAuthState.getState());
                System.out.println("Target auth scheme: " + targetAuthState.getAuthScheme());
                System.out.println("Target auth credentials: " + targetAuthState.getCredentials());
                EntityUtils.consume(response.getEntity());
            }
            finally {
                response.close();
            }
        }
    }
    finally {
        httpclient.close();
    }

}

【问题讨论】：

你能解决这个问题吗？
会不会是 httpbin 需要一个 cookie 而没有 cookie 设置它响应 401？
Apache HttpClient Digest authentication的可能重复

标签： java apache-httpclient-4.x digest-authentication

【解决方案1】：

正如@heapach 所建议的那样，这是一个 cookie 问题。连线日志（显示日志类别org.apache.http.wire 设置为调试）显示：
<< "Set-Cookie: fake=fake_value[\r][\n]"
但是 HttpClient 从来没有选择这个并且不在第二个 GET 请求中使用它，该请求包含带有摘要响应的完整“授权”标头。因此，服务器会忽略摘要响应。

在我更新示例代码后（也称为Preemptive DIGEST authentication example）使用如下所示的代码（从 HTTP 状态管理 tutorial 复制），服务器响应“200 OK”。

CookieStore cookieStore = new BasicCookieStore();
BasicClientCookie cookie = new BasicClientCookie("fake", "fake_value");
cookie.setDomain("httpbin.org");
cookie.setPath("/");
cookieStore.addCookie(cookie);
CloseableHttpClient httpclient = HttpClients.custom()
        .setDefaultCookieStore(cookieStore)
        .setDefaultCredentialsProvider(credsProvider)
        .build();

我还遇到了一个gist，其中包含一些计算“随机数”的代码所以你可以使用
digestAuth.overrideParamter("nonce", calculateNonce());
并且org.apache.http.impl.auth.HttpAuthenticator 不再显示错误消息“在挑战中缺少随机数”。

public static synchronized String calculateNonce() {

    Date d = new Date();
    SimpleDateFormat f = new SimpleDateFormat("yyyy:MM:dd:hh:mm:ss");
    String fmtDate = f.format(d);
    Random rand = new Random(100000);
    Integer randomInt = rand.nextInt();
    return org.apache.commons.codec.digest.DigestUtils.md5Hex(fmtDate + randomInt.toString());
}

【讨论】：

httpclient v4.5.3 和 v4.5.4 关于这个问题有一些变化。