【 Beijing 】 IT technical personnel face interview, job-hopping, promotion and other problems, how to grow quickly, get the entrance qualification of big factory and promotion and salary chip? Face to face with dachang technology masters to answer your questions. My Career Anxiety and Redemption: A Journey from a young professional to a technical director

Congratulations FPX, new king, LPL * B we are the champions

The original link: segmentfault.com/a/119000002…

HttpBasic mode application scenarios

The HttpBasic login authentication mode is the simplest, if not the most rudimentary, way Spring Security implements login authentication. Its purpose is not to guarantee the absolute security of login authentication, but to provide a kind of login authentication “against the gentleman but not against the villain”.

It’s like when I was a kid, when I kept a diary, I always bought a diary with a little lock. What was the use of the little lock? Someone who really wants to see it could pry it open with a nail. It is: one day your parents want to peek at your diary, take out a look with a lock, that forget it, strange trouble.

An example of login authentication using HttpBasic: While working as a department manager for a company, I developed an Http interface for counting efficiency, sharing knowledge, generating code, and exporting reports. Purely for the sake of efficiency, and a little selfish, I added HttpBasic validation to this set of interfaces because there are competing departments. Given an hour or two at most, any technician in the company could have cracked this verification. To put it bluntly, the tool’s data is not that important, and the purpose of adding a lock is to keep it from becoming public data. If you really want to see the data, it’s ok. This is a typical application scenario of the HttpBasic pattern.

Spring Boot2.0 integrates Spring Security

Spring Boot 2, version X maven introduced Spring Security coordinates.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
Copy the code

HttpBasic login authentication mode

If you are using Spring Boot version 1.x and rely on Security version 4.x, no configuration is required and the default HttpBasic authentication will pop up when you start project access.

We are now using Spring Boot2.0 (which relies on Security 5.x). HttpBasic is no longer the default authentication mode. In Spring Security 5.x, the default authentication mode is forms mode. So we’re going to use Basic mode, and we’re going to have to tweak it ourselves. And security.basic.enabled is out of date, so we need to code it ourselves.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
   
   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.httpBasic()// Enable httpBasic authentication
      .and()
      .authorizeRequests()
      .anyRequest()
      .authenticated();// All requests require login authentication to access}}Copy the code

Start the project, and there is a string of logs printed in the background of the project, followed by the colon is the default password.

Using generated security password: 0cc59a43-c2e7-4c21-a38c-0df8d1a6d624
Copy the code

The default user name is User. (The following login box is not developed by us, but comes with HttpBasic.)

spring:
    security:
      user:
        name: admin
        password: admin
Copy the code

HttpBasic mode principle description

  • First, the HttpBasic mode requires that the transmitted username password be encrypted using Base64 mode. If the username is”admin“, the password is “admin”,admin:admin“Encrypted using Base64 encoding algorithm. The encrypted result may be: YWtaW46YWRtaW4=.
  • Then, use Authorization as a Header in the Http request, “Basic YWtaW46YWRtaW4=” as the Header value, and send it to the server. (Note the use of Basic+ space + encrypted string)
  • Server when receive a request like this, to reach BasicAuthenticationFilter filters, to extract the “Authorization” Header values, and using the same algorithm is used to verify the identity of the users Base64 decoding.
  • The decoding result matches the user name and password authenticated by the login. If the match is successful, the subsequent access to the filter can continue.

So, HttpBasic mode is really very simple and crude authentication mode, Base64 encryption algorithm is reversible, you know the above principle, in minutes to crack. We could have used the PostMan tool to send Http requests for login authentication.

If you want to learn programming, please searchCircle T community, more industry related information and industry related free video tutorials. It’s totally free!