简体繁体 English

我应该如何通过HTTP验证应用程序？

[英]How should I go about authenticating an application via HTTP?

原文 2014-01-23 22:04:26 7 1 java/ security/ authentication

I'm making an application that requires it to be authenticated on startup with a "secret key" as defined in a configuration file. 我正在制作一个要求启动时使用配置文件中定义的“秘密密钥”对它进行身份验证的应用程序。 I can't have the app call to a database so I'm thinking I need to do a HTTP request, however I am not sure how I should go about doing this and how it can't be exploited. 我无法通过应用程序调用数据库，因此我认为我需要执行HTTP请求，但是我不确定应该如何去做以及如何利用它。

I just need somewhere to start, thanks! 我只需要从某个地方开始，谢谢！

1 个解决方案

You can use SSL. 您可以使用SSL。 Then to manage trusted certs, you can implement your own javax.net.ssl.X509TrustManager . 然后，要管理受信任的证书，可以实现自己的javax.net.ssl.X509TrustManager 。 You can use the javax.net.ssl.X509TrustManager to manage your .keystore file via standard Java mechanisms. 您可以使用javax.net.ssl.X509TrustManager通过标准Java机制来管理.keystore文件。 The keystore will contain private keys. 密钥库将包含私钥。

From JavaDoc: 从JavaDoc：

Instance of this interface manage which X509 certificates may be used to authenticate the >remote side of a secure socket. 该接口的实例管理可以使用哪些X509证书来验证安全套接字的>远程侧。 Decisions may be based on trusted certificate authorities, >certificate revocation lists, online status checking or other means. 决策可以基于受信任的证书颁发机构，证书撤销列表，在线状态检查或其他方式。

Also note that: 另请注意：

TrustManagers are responsible for managing the trust material that is used when making trust TrustManager负责管理进行信任时使用的信任材料
decisions, and for deciding whether credentials presented by a peer should be accepted. 决策，以及确定是否应接受对等方提供的凭据。

If you extend the X509TrustManager , you can read in certificates your private .keystore file as well as certificates trusted by Java. 如果扩展X509TrustManager ，则可以读取私有.keystore文件的证书以及Java信任的证书。 Those live in JAVA_HOME\\lib\\security\\cacerts 那些生活在JAVA_HOME\\lib\\security\\cacerts