使用HTTPS到Java中的API的身份驗證請求

Question

我正在尋找使用名爲HookTheory的API。我使用Java進行HTTPS調用，並且自從我第一次使用HTTP或HTTPS客戶端以來，我遇到了幾個障礙。

Here are the document's details on User Authentication:

You authenticate to the Hooktheory API by providing an HTTP Bearer Token, according to the OAuth 2 protocol. Your HTTP Bearer Token is retrieved through the API with your www.hooktheory.com username and password. To retrieve your HTTP Bearer Token, make the following request: 

POST users/auth 

The body of the request must contain your www.hooktheory.com username and password: 

{ 
     "username": "Hooktheory", 
     "password": "" 
} 

The response will contain three fields, as shown below: 

{ 
     "id": 1234, 
     "username": "Hooktheory", 
     "activkey": "aoa6jjacz34kcta3aomeqwuz89" 
} 

The "activkey" property contains your HTTP Bearer Token; include it as an authorization header in all future requests to the API. 

有人能更好地詳細講解我如何將着手在Java中這樣做呢？ 簡化版代碼如下：

String url = "https://api.hooktheory.com/v1/users/auth"; 
    URL obj = new URL(url); 
    HttpsURLConnection con = (HttpsURLConnection) obj.openConnection(); 

    //add request header 
    con.setRequestMethod("POST"); 
    con.setRequestProperty("username", username); 
    con.setRequestProperty("password", password); 

    String urlParameters = "sn=C02G8416DRJM&cn=&locale=&caller=&num=12345"; 

    // Send post request 
    con.setDoOutput(true); 
    DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
    wr.writeBytes(urlParameters); 
    wr.flush(); 
    wr.close(); 

    int responseCode = con.getResponseCode(); 
    System.out.println("\nSending 'POST' request to URL : " + url); 
    System.out.println("Post parameters : " + urlParameters); 
    System.out.println("Response Code : " + responseCode); 

    BufferedReader in = new BufferedReader(
      new InputStreamReader(con.getInputStream())); 
    String inputLine; 
    StringBuffer response = new StringBuffer(); 

    while ((inputLine = in.readLine()) != null) { 
     response.append(inputLine); 
    } 
    in.close(); 

    //print result 
    System.out.println(response.toString()); 

此代碼基本上是一個copy of the code here。

當我運行上面的後代碼時，出現401錯誤（身份驗證）。我猜測它是因爲我沒有正確格式化get/post請求。

有人可以點我在正確的方向？

Answer 1

您已將用戶名和密碼設置爲請求屬性，即HTTP標頭。根據HookTheory文檔，您需要在請求主體上發送這些文檔。

具體來說，您需要發送的JSON請求對身體是這樣的：

DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
String requestBody = String.format("{ \"username\": \"%s\", \"password\": \"%s\" }", username, password); 
wr.writeBytes(requestBody); 

此外，按他們的文檔，你應該表明這是JSON通過設置Accept和Content-Type頭。這是之前通過調用這樣的發送POST請求的數據進行：

con.setRequestProperty("Accept", "application/json"); 
con.setRequestProperty("Content-Type", "application/json"); 

所以整個塊的樣子：

String url = "https://api.hooktheory.com/v1/users/auth"; 
URL obj = new URL(url); 
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection(); 

con.setRequestMethod("POST"); 
con.setRequestProperty("Accept", "application/json"); 
con.setRequestProperty("Content-Type", "application/json"); 

// Send post request 
con.setDoOutput(true); 
DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
String requestBody = String.format("{ \"username\": \"%s\", \"password\": \"%s\" }", username, password); 
wr.writeBytes(requestBody); 
wr.flush(); 
wr.close(); 

Answer 2

代碼401明確指出認證有問題。堆棧跟蹤在服務器端顯示未經身份驗證。

10.4.2 401 Unauthorized 

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication"