我们尝试在一个HttpClient(一个会话)中向目标服务器发送多个请求。目标服务器将首先使用摘要式身份验证(基于MD5-sess)对所有请求进行身份验证。结果显示只有第一次访问成功。服务器拒绝以下访问,因为服务器将以后的访问视为重放攻击,因为“nc”值始终为“00000001”。
似乎Android HttpClient硬编码摘要授权标题attirbute“nc”为“00000001”?
客户端在发送新请求时是否可以增加此值?感谢。
public class HttpService {
private static final HttpService instance = new HttpService();
private HttpService() {
client = getHttpClient();
}
public static HttpService getInstance() {
return instance;
}
private DefaultHttpClient getHttpClient() {
HttpParams params = new BasicHttpParams();
HttpConnectionParams.setStaleCheckingEnabled(params, false);
HttpConnectionParams.setConnectionTimeout(params, 15 * 1000);
HttpConnectionParams.setSoTimeout(params, 15 * 1000);
HttpConnectionParams.setSocketBufferSize(params, 8192);
HttpProtocolParams.setUserAgent(params, USER_AGENT);
SchemeRegistry schemeRegistry = new SchemeRegistry();
Scheme httpScheme = new Scheme("http", PlainSocketFactory.getSocketFactory(), 80);
Scheme httpsScheme = new Scheme("https", SSLCertificateSocketFactory.getHttpSocketFactory(30 * 1000, null), 443);
schemeRegistry.register(httpScheme);
schemeRegistry.register(httpsScheme);
ClientConnectionManager manager = new ThreadSafeClientConnManager(params, schemeRegistry);
//create client
DefaultHttpClient httpClient = new DefaultHttpClient(manager, params);
httpClient.getCredentialsProvider().setCredentials(new AuthScope(address, port),
new UsernamePasswordCredentials(username, password));
}
}
答案 0 :(得分:2)
Android附带了一个非常过时的(pre-BETA)Apache HttpClient分支。自4.0 ALPHA以来,HttpClient的股票版本发生了无数次的变化,也在Digest auth区域。
您可以做的最好的事情是从Apache HttpClient的库存版本复制DigestScheme,并将您的应用程序配置为使用副本而不是默认实现。
为此,您必须使用auth scheme注册表注册自定义DigestSchemeFactory实例。
答案 1 :(得分:0)
看来你是对的。这来自Digest.java:
//TODO: supply a real nonce-count, currently a server will interprete a repeated request as a replay
private static final String NC = "00000001"; //nonce-count is always 1
您应该在http://b.android.com提交错误。您有几个选择:
HttpRequestInterceptor以进行此授权(不要将凭据设置为凭据提供程序)编辑:由于它已在库存版本中修复,因此还有另一种选择:
另一种选择: