Networking, HTTP, Session Hold, Authentication Authorization

catalogs

1. Networking

2.HTTP

2.1. Message structure

2.1.1. request message

2.1.2. Response message

2.2. Methodology

2.3.HTTPS

2.4. Cross-domain

3. Session Hold

3.1. Overview

3.2.cookie

3.3.session

4. Authentication authorization

4.1.Token

4.2.JWT

4.3.oauth

---

1. Networking

Computer networks: Computer network, a set of topologies consisting of nodes and edges. The edge, or link, is the backbone link between routers, and the link between routers and hosts is the access link. A node, i.e., a host node or a data exchange node, consists of either a host or a data exchange device (or a higher-level load balancing device) Layering: According to the different functions responsible for the computer network in the logical layering? The classic model is the OSI seven layers, but seven layers is slightly cumbersome, generally with TCP / IP four layers can briefly explain the role of layers in the network layering. TCP/IP four-layer hierarchy:

• application layer (computing) application
• transport layer Providing end-to-end communication, the transport layer provides transparent data transfer between end users and reliable data transfer services to the upper layers. The transport layer ensures the reliability of data transmission through flow control, segmentation/reorganization and error control on a given link.
• network layer The IP layer, which is responsible for handling the transmission of IP data messages in the network, the IP layer transmits IP data messages, with the help of a routing table, from one end of the network to the other, in short, IP implements the routing of packets, IP protocols and routers work at the network layer.
• network interface layer This includes the operating system’s device driver and the network card, which together handle the details of the physical interface with the transmission medium (fiber optics, etc.).

The process of data flowing between tiers and traveling through the network is as follows:

Agreement: Protocol, a collection of rules that are followed during communication between entities in the peer layer. Below are some of the classic protocols in each layer:

2.HTTP

HTTP, Hypertext Transfer Protocol, was chosen as the application layer protocol for the WEB system.

2.1. Message structure

2.1.1. request message

HTTP request message (request) consists of four parts: request line (request line), request header (header), blank lines and request data (request data)

name	corresponds English -ity, -ism, -ization
requesting line	Record request method, URL, HTTP protocol version number
request header	Record some additional information as key-value pairs, such as cookies, encoding, host, etc.
Request data	The request data, also called the request body, is not used in the GET method, but in the POST method, which is used in situations that require the client to fill out a form. There are two important keys related to the request data in the request header: Content-Type and Content-Length.

That means only Post requests have request bodies:

2.1.2. Response message

The two most important parts of the HTTP response message (response):

• status code Record the status of the response
• response body Record the response data, which can be is a web page (HTML code), is an image, video, audio, etc.

2.2. Methodology

HTTP has a total of GET, POST, PUT, DELETE, CONNECT, HEAD, originally designed with the intention of each operation on the server have a corresponding method, but in actual use found that in fact, GET, POST two methods are enough, GET is responsible for the server to ask for data, POST is responsible for the server to store data. GET, POST difference:

name	specificities
GET	Parameters in the URL, data size can not exceed 2KB
POST	The data is in the “request data” area of the HTTP message, and theoretically there is no upper limit to its size.

2.3.HTTPS

https=http+ssl/TSL, i.e. use HTTP for communication and SSL/TLS for data protection. In the https system, SSL/TLS is an intermediate layer between the HTTP protocol (application layer) and TCP (transport layer).

SSL/TLS protects data in three dimensions:

• Content encryption: hybrid encryption technology is used so that intermediaries cannot directly view plaintext content
• Verify identity: authenticate that the client is accessing its own server through the certificate
• Protecting data integrity: preventing transmitted content from being impersonated or tampered with by intermediaries

SSL: Secure Sockets Layer (SSL) is a security protocol that provides security and data integrity for network communications. Invented by Netscape in 1994, SSL is supported by all browsers, and its latest version is 3.0. TLS: Transport Layer Security, Secure Transport Layer Protocol, the latest version of TLS (Transport Layer Security) is a new protocol developed by the IETF (Internet Engineering Task Force). It is built on top of the SSL 3.0 protocol specification and is the successor to SSL 3.0. There are significant differences between TLS and SSL 3.0, mainly because they support different cryptographic algorithms, so TLS and SSL 3.0 are not interoperable. Although TLS and SSL 3.0 differ in their encryption algorithms, SSL and TLS can be viewed as the same protocol in understanding HTTPS. Working mechanisms: The mechanism of SSL/TLS is similar to that of TCP, which uses handshake to complete the negotiation and determination of encryption and decryption methods, keys, and other data during the connection establishment phase, and then uses the negotiated results for the subsequent data communication process. SSL Certificates. Configured on the server, also known as SSL server certificates, records the current server support encryption algorithms, keys and other information, which is the use of SSL/STL when the core entity will be configured on the server can be, the entire HTTPS in the client and the server to establish a secure connection to rely on is to read change the file so as to make decisions.

2.4. Cross-domain

The cross-domain problem stems from the “same-origin policy”, which is a convention that essentially restricts JavaScript scripts in one domain from interacting with content in another domain. The “same-origin policy” is a core mechanism to ensure the security of the browser, all browsers must implement this mechanism in the implementation, otherwise the browser will be very easy to be attacked. The so-called “same-origin”, that is, in a domain, a domain consists of three parts: protocol, host, port, any one of which is different, is not a domain, a source. for examplehttp://www.test.comHer js in this page cannot interact with content in other domains. This handoff prohibits interaction not in the sense that cross-domain requests can’t be sent, but in the sense that the results of the response are intercepted by the browser. Therefore, it is very convenient to solve the cross-domain problem in the back-end, as long as in the response to return to deal with the browser to determine whether the response is cross-domain conditions on the line.

3. Session Hold

3.1. Overview

Session keeping technology came into being because HTTP is a stateless protocol, this request has nothing to do with the previous request, they can’t perceive each other, what did the previous request do? What the last request did? This request is completely unaware of the session maintenance technology is to a third-party design to realize the connection between HTTP requests, so that the requests can be mutually aware of each other. The two current conferences will maintain the technology:

• cookie
• session

The difference between a cookie and a session, explained with an example: How do you get on campus at a closed school?

• Way 1. The school prepares a roster and compares them one by one as they come in the door.
• Mode 2. Students get a student card and enter and exit with it.

3.2.cookie

Client-side technology, where the state (data) is saved on the client side, i.e. the student card accesses the campus this way. The server returns an unlimited number of cookies to the client, one cookie being a key-value pair. The carriers of cookies during client-server interaction are request and response.

public class DemoServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        Cookie[] cookies=request.getCookies();
        if(cookies!=null){
            for(Cookie cookie:cookies) {
                if("LastLoginTime".equals(cookie.getName())) {
                    System.out.println("Time of last visit: " + cookie.getValue());
                }
            }
        }else{
            System.out.println("This is the first login!") ;
        }
        Cookie cookie=new Cookie("LastLoginTime",System.currentTimeMillis()+"");
        cookie.setMaxAge(60*60*24);//set the expiration date to one day
        response.addCookie(cookie);
    }
}

3.3.session

Server technology, i.e., the state (data) is saved on the server side, i.e., the roster enters the campus this way. Like cookies, the carrier of session during client-server interaction is also request, response. session generation: A session is not automatically created when a client accesses the server, but must be generated by specifying the API:

request.getSession()

session destruction:

• session.invalidate()
• Two requests before and after exceeded the life cycle time specified by the session.

In addition, the session will not be destroyed, the reason why usually feel the browser closed session will be destroyed is to close the browser and then re-open the browser if the browser before the existence of the session on the server, it will re-create a session to overwrite the old session, so physically feel the browser closed after the session is destroyed. session is destroyed. The use of session: Since the entire browser shares the data inside the session, the session can function like a context object sharing data.

The unique identifier of a session is the sessionID, which is automatically encapsulated and returned as a cookie. That’s why, when you open a browser, a cookie exists inside the http request response.

4. Authentication authorization

4.1.Token

A token, also known as a “token”, is a credential that verifies a user’s identity. the composition of the token is arbitrary, and can identify the user’s identity. token’s workflow: The client sends a request to the server, the server receives it and generates a token to be returned to the client, and thereafter any authentication of the client is based on this token.

4.2.JWT

JWT, Json web token, that is, a json based universal token standard , token is inherently arbitrary , JWT specifies the format of the token . JWT specifies that the token consists of three parts:

• header The header, which carries two pieces of information:
  • Declare the type, i.e. declare that this is jwt
  • Declare the encryption algorithm, HMAC SHA256 encryption algorithm is used by default.
• payload Load, where valid information (data information) is stored.
• signature The visa, which can be used to verify the integrity of the entire token and whether it has been tampered with, consists of three parts:
  • header (after base64)
  • payload (after base64)
  • secret Private key

4.3.oauth

OAUTH, Open Authorization, provides a secure, open and easy standard for authorization of user resources. The purpose is to allow third parties to have only limited access to the user’s data without being able to touch the user’s core information. For example, using WeChat or QQ as an account to log in on a third-party website is using the oauth protocol, which only returns to the third party to inject information such as username and avatar, but not core data such as third-party secrets.