Java HTTPS Server基本身份验证+ Cors

时间:2018-09-06 09:00:33

标签: java ssl cors httpserver

我正在尝试为不同的服务使用不同的http-Handler创建客户端/服务器工具。因为不是每个知道URL的人都应该能够触发服务,所以我想使用Basic Auth保护Handler。

我能够实施有效的基本身份验证(已通过邮递员测试),但是由于CORS的原因,我想通过我的网站访问它时,它会失败。我也能够处理CORS的Preflight,但仅当我停用基本身份验证时才可以。激活它后,似乎什至没有进入可以设置标头的处理程序。

这是我的示例代码:

服务器

package com.company;

import java.io.*;
import java.net.InetSocketAddress;
import java.lang.*;
import java.net.URL;
import com.sun.net.httpserver.HttpsServer;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import com.sun.net.httpserver.*;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;

import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URLConnection;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

import java.net.InetAddress;
import java.util.Arrays;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.HttpsExchange;

public class Main {

public static class MyHandler implements HttpHandler {
    @Override
    public void handle(HttpExchange t) throws IOException {
        String response = "This is the response";
        HttpsExchange httpsExchange = (HttpsExchange) t;

        httpsExchange.getResponseHeaders().add("Access-Control-Allow-Origin", "null");
        if (httpsExchange.getRequestMethod().equalsIgnoreCase("OPTIONS")) {
            System.out.println("in Option");
            httpsExchange.getResponseHeaders().add("Access-Control-Allow-Methods", "GET, OPTIONS");
            httpsExchange.getResponseHeaders().add("Access-Control-Allow-Headers", "Content-Type,Authorization");
            httpsExchange.sendResponseHeaders(204, -1);
            return;
        }
        httpsExchange.sendResponseHeaders(200, response.length());
        OutputStream os = httpsExchange.getResponseBody();
        os.write(response.getBytes());
        os.close();
    }
}

/**
 * @param args
 */
public static void main(String[] args) throws Exception {

    try {
        // setup the socket address
        InetSocketAddress address = new InetSocketAddress(8000);

        // initialise the HTTPS server
        HttpsServer httpsServer = HttpsServer.create(address, 0);
        SSLContext sslContext = SSLContext.getInstance("TLS");

        // initialise the keystore
        char[] password = "aaaaaa".toCharArray();
        KeyStore ks = KeyStore.getInstance("JKS");
        FileInputStream fis = new FileInputStream("D:\\src\\keys\\server.jks");
        ks.load(fis, password);

        // setup the key manager factory
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, password);

        // setup the trust manager factory
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(ks);

        // setup the HTTPS context and parameters
        sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
        httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext) {
            public void configure(HttpsParameters params) {
                try {
                    // initialise the SSL context
                    SSLContext c = SSLContext.getDefault();
                    SSLEngine engine = c.createSSLEngine();
                    params.setNeedClientAuth(false);
                    params.setCipherSuites(engine.getEnabledCipherSuites());
                    params.setProtocols(engine.getEnabledProtocols());

                    // get the default parameters
                    SSLParameters defaultSSLParameters = c.getDefaultSSLParameters();
                    params.setSSLParameters(defaultSSLParameters);

                } catch (Exception ex) {
                    System.out.println("Failed to create HTTPS port");
                }
            }
        });
        HttpContext hc =  httpsServer.createContext("/test", new MyHandler());
        /*BasicAuthenticator basicAuthenticator = new BasicAuthenticator("get") {
            @Override
            public boolean checkCredentials(String username, String password) {
                return username.equals("user") && password.equals("password");
            }
        };

        hc.setAuthenticator(basicAuthenticator);*/
        httpsServer.setExecutor(null); // creates a default executor
        httpsServer.start();

    } catch (Exception exception) {
        System.out.println("Failed to create HTTPS server on port " + 8000 + " of localhost");
        exception.printStackTrace();

    }
}
}

JQuery /客户端:

$( "#button" ).click(function() {
    function make_base_auth(user, password) {
        var tok = user + ':' + password;
        var hash = btoa(tok);
        return "Basic " + hash;
    }
    $.ajax
    ({
        type: "GET",
        url: "https://localhost:8000/test",
        beforeSend: function (xhr){
            xhr.setRequestHeader('Authorization', make_base_auth("user", "password"));
        },
        success: function (data){
            console.log(data)
        }
    });
});

上面的代码对我有用,它进入测试处理程序并回答预检,然后才是真正的请求。但是它不会验证jQuery中的凭证(甚至不需要发送一些凭证)。这是合乎逻辑的,因为我称赞了基本身份验证的激活。我在基本身份验证部分中发表评论后,它就没有进入测试处理程序,也没有达到预检处理。

我的问题是,当不在处理程序中时,我不知道该将预检处理放在哪里。那么有没有办法使用sun HttpServer来做到这一点?

0 个答案:

没有答案