WEB开发经验点滴

最新推荐文章于 2024-08-04 08:12:53 发布

arlaichin

最新推荐文章于 2024-08-04 08:12:53 发布

阅读量997

点赞数

分类专栏： WEB开发文章标签： web开发 authorization string basic ssl

本文链接：https://blog.csdn.net/arlaichin/article/details/3187779

版权

WEB开发专栏收录该内容

8 篇文章 0 订阅

订阅专栏

HttpAuthenticate:

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
HTTP/1.1 401 Unauthorized
Server: Waveplus HTTPD
Date: Thu, 01 Jan 1970 01:55:52 GMT
WWW-Authenticate: Basic realm="DI-504"
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Connection: close

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY></BODY></HTML>

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW46NDQzMjMwMA==

JSP:

<jsp:useBean id="base64"scope="page"class="Base64"/>
<%
if(request.getHeader("Authorization")==null){
   response.setStatus(401);
   response.setHeader("WWW-authenticate","Basic realm=/"unixboy.com/"");
}else{
   String encoded=(request.getHeader("Authorization"));
   String tmp=encoded.substring(6);
   String up=Base64.decode(tmp);
   String user="";
   String passWord="";
   if(up!=null){
        user=up.substring(0,up.indexOf(":"));
    password=up.substring(up.indexOf(":")+1);
   }
   if(user.equals("unixboy")&&password.equals("123456")){
        //认证成功
   }else{
        //认证失败
   }
}
%>

参考RFC2617

启用双向 SSL 时 Web 应用程序的配置

<login-config>
    
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>Client Cert Users-only Area</realm-name>
    </login-config>
    <security-constraint>
    
        <web-resource-collection >
            <web-resource-name >SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

文件打开和下载：

Response.AddHeader("Content-Disposition", "inline; filename="test.xls");

Response.AddHeader("Content-Disposition", "attachment; filename="test.xls");

https文件下载：

response.setHeader("Expires","0");
response.setHeader("Pragma","public");
response.setHeader("Cache-Control","must-revalidate, post-check=0, pre-check=0");
response.setHeader("Cache-Control","public");
Response.AddHeader("Content-Disposition", "attachment; filename="test.xls");

链接：

http头的referer信息，被有的网站用来防盗链，使得有的应用登录无法通过，如http://reg.163.com/login.jsp
解决的办法有：
1 用https页面，当https页面链向http页面时，不会有referer
2 location.href= "<%=urlGet%>"; 方式