使用HTTPS到Java中的API的身份验证请求

Question

我正在寻找使用名为HookTheory的API。我使用Java进行HTTPS调用，并且自从我第一次使用HTTP或HTTPS客户端以来，我遇到了几个障碍。

Here are the document's details on User Authentication:

You authenticate to the Hooktheory API by providing an HTTP Bearer Token, according to the OAuth 2 protocol. Your HTTP Bearer Token is retrieved through the API with your www.hooktheory.com username and password. To retrieve your HTTP Bearer Token, make the following request: 

POST users/auth 

The body of the request must contain your www.hooktheory.com username and password: 

{ 
     "username": "Hooktheory", 
     "password": "" 
} 

The response will contain three fields, as shown below: 

{ 
     "id": 1234, 
     "username": "Hooktheory", 
     "activkey": "aoa6jjacz34kcta3aomeqwuz89" 
} 

The "activkey" property contains your HTTP Bearer Token; include it as an authorization header in all future requests to the API. 

有人能更好地详细讲解我如何将着手在Java中这样做呢？ 简化版代码如下：

String url = "https://api.hooktheory.com/v1/users/auth"; 
    URL obj = new URL(url); 
    HttpsURLConnection con = (HttpsURLConnection) obj.openConnection(); 

    //add request header 
    con.setRequestMethod("POST"); 
    con.setRequestProperty("username", username); 
    con.setRequestProperty("password", password); 

    String urlParameters = "sn=C02G8416DRJM&cn=&locale=&caller=&num=12345"; 

    // Send post request 
    con.setDoOutput(true); 
    DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
    wr.writeBytes(urlParameters); 
    wr.flush(); 
    wr.close(); 

    int responseCode = con.getResponseCode(); 
    System.out.println("\nSending 'POST' request to URL : " + url); 
    System.out.println("Post parameters : " + urlParameters); 
    System.out.println("Response Code : " + responseCode); 

    BufferedReader in = new BufferedReader(
      new InputStreamReader(con.getInputStream())); 
    String inputLine; 
    StringBuffer response = new StringBuffer(); 

    while ((inputLine = in.readLine()) != null) { 
     response.append(inputLine); 
    } 
    in.close(); 

    //print result 
    System.out.println(response.toString()); 

此代码基本上是一个copy of the code here。

当我运行上面的后代码时，出现401错误（身份验证）。我猜测它是因为我没有正确格式化get/post请求。

有人可以点我在正确的方向？

Answer 1

您已将用户名和密码设置为请求属性，即HTTP标头。根据HookTheory文档，您需要在请求主体上发送这些文档。

具体来说，您需要发送的JSON请求对身体是这样的：

DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
String requestBody = String.format("{ \"username\": \"%s\", \"password\": \"%s\" }", username, password); 
wr.writeBytes(requestBody); 

此外，按他们的文档，你应该表明这是JSON通过设置Accept和Content-Type头。这是之前通过调用这样的发送POST请求的数据进行：

con.setRequestProperty("Accept", "application/json"); 
con.setRequestProperty("Content-Type", "application/json"); 

所以整个块的样子：

String url = "https://api.hooktheory.com/v1/users/auth"; 
URL obj = new URL(url); 
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection(); 

con.setRequestMethod("POST"); 
con.setRequestProperty("Accept", "application/json"); 
con.setRequestProperty("Content-Type", "application/json"); 

// Send post request 
con.setDoOutput(true); 
DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 
String requestBody = String.format("{ \"username\": \"%s\", \"password\": \"%s\" }", username, password); 
wr.writeBytes(requestBody); 
wr.flush(); 
wr.close(); 

Answer 2

代码401明确指出认证有问题。堆栈跟踪在服务器端显示未经身份验证。

10.4.2 401 Unauthorized 

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication"