1. Network
Computer Network:
Computer network, a set of topological structures composed of nodes and edges.
Edges are links, the links between routers are backbone links, and the links between routers and hosts are access links.
Node, that is, host node or data exchange node, consists of host or data exchange device (or higher-level load balancing device)
Layering:
Depending on the functions it is responsible for, are computer networks logically layered? The classic model is OSI seven layers, but seven layers are a bit cumbersome. Generally, TCP/IP four layers can be used to briefly explain the role of layers in network layering.
TCP/IP four layers:
- Application layer
app
- transport layer
Providing end-to-end communication, the transport layer provides transparent data transmission between end users and provides reliable data transmission services to the upper layers. The transport layer ensures the reliability of data transmission through flow control, segmentation/reassembly, and error control on a given link.
- Network layer
The IP layer is responsible for processing the transmission of IP data packets in the network. The IP layer transmits IP data packets. With the help of routing tables, it transmits IP data packets from one end of the network to the other. In short, IP realizes For packet routing and transmission, the IP protocol and routers work at the network layer.
- network interface layer
Includes the operating system’s device drivers and the network card, which together handle the details of the physical interface to the transmission medium (fiber optics, etc.).
The process of data flowing between layers and traveling in the network is as follows:
Protocol:
Protocol, a collection of rules followed during communication between peer layer entities.
The following are some classic protocols in each layer:
2.HTTP
HTTP, Hypertext Transfer Protocol, is used by the WEB system as the application layer protocol.
2.1. Message structure
2.1.1. Request message
HTTP request message (request) consists of four parts: request line (request line), request header (header), blank line and request data (request data)
|
name |
effect |
|
request line |
Record the request method, URL, and HTTP protocol version number |
|
Request header |
Record some additional information in the form of key-value pairs, such as cookies, encoding, host, etc. |
|
Request data |
The request data, also called the request body, is not used in the GET method, but in the POST method. The POST method is suitable for occasions where customers need to fill in a form. There are two important keys related to the request data in the request header: Content-Type and Content-Length. |
That is to say, only Post requests have request bodies:
2.1.2.Response message
The two most important parts of the HTTP response message (response) are:
- status code
Record the status of the response
- response body
The data recorded in the response can be a web page (HTML code), pictures, videos, audio, etc.
2.2. Method
There are a total of GET, POST, PUT, DELETE, CONNECT, and HEAD in HTTP. The original intention of the design was to have a corresponding method for each operation on the server. However, in actual use, it was found that the two methods of GET and POST are actually the same. That’s enough. GET is responsible for requesting data from the server, and POST is responsible for storing data to the server.
Differences between GET and POST:
|
name |
Features |
|
GET |
Parameters are in the URL and the data size cannot exceed 2KB |
|
POST |
The data is in the “request data” area of the HTTP message, and theoretically there is no upper limit on the size. |
2.3.HTTPS
https=http + ssl/TSL, that is, using HTTP for communication and SSL/TLS for data protection.
In the https system, SSL/TLS is the middle layer between the HTTP protocol (application layer) and TCP (transport layer).
SSL/TLS protects data in three dimensions:
- Content encryption: Using hybrid encryption technology, intermediaries cannot directly view the plain text content
- Verify identity: authenticate the client through the certificate to access its own server
- Protect data integrity: Prevent transmitted content from being impersonated or tampered with by middlemen
SSL:
Secure Sockets Layer, a secure socket layer protocol, is a security protocol that provides security and data integrity for network communications. It was invented by Netscape in 1994. Later, all browsers supported SSL, and its latest version is 3.0.
TLS:
Transport Layer Security, the latest version of TLS (Transport Layer Security, Transport Layer Security Protocol) is a new protocol developed by the IETF (Internet Engineering Task Force, Internet Engineering Task Force). It is built on the SSL 3.0 protocol Above the specification is the subsequent version of SSL 3.0. There are significant differences between TLS and SSL3.0, mainly due to the different encryption algorithms they support, so TLS and SSL3.0 cannot interoperate. Although TLS and SSL3.0 have different encryption algorithms, in the process of understanding HTTPS, SSL and TLS can be regarded as the same protocol.
Working mechanism:
The mechanism of SSL/TLS is similar to TCP. It uses a handshake to complete the negotiation and determination of encryption and decryption methods, keys and other data during the connection establishment phase, and then uses the negotiation results in subsequent data communication processes.
SSL Certificate:
Configured on the server, also called SSL server certificate, it records the encryption algorithm, key and other information supported by the current server. This is the core entity when using SSL/STL. Just configure it on the server. In the entire HTTPS, the client and The server establishes a secure connection by reading files to make decisions.
2.4. Cross-domain
The cross-domain problem stems from the “same origin policy”. The “same origin policy” is a convention that essentially restricts JavaScript scripts in one domain from interacting with content in another domain.
“Same origin policy” is a core mechanism to ensure browser security. All browsers must implement this mechanism, otherwise the browser will be very vulnerable to attacks. The so-called “same origin” means that within a domain, a domain consists of three parts: protocol, host, and port. If any one part is different, it is not a domain or a source.
For example, in the web page http://www.test.com, her js cannot interact with content in other domains. This kind of prohibited interaction does not mean that cross-domain requests cannot be sent, but that the response results are intercepted by the browser.
Therefore, it is very convenient to solve cross-domain problems on the backend. Just process the condition items used by the browser to determine whether the response is cross-domain before the response is returned.
3. Session persistence
3.1. Overview
The emergence of session persistence technology is because HTTP is a stateless protocol. There is no relationship between this request and the previous request. They cannot sense each other. What did the last request do? This time the request is completely unknown. The purpose of session persistence technology is to use a third-party design to realize the connection between http requests so that the requests can perceive each other.
The two major session retention technologies currently available are:
- cookies
- session
The difference between cookies and sessions is explained with an example:
How to enter the campus of a closed school?
- Method 1. The school prepares a roster and compares them one by one when entering.
- Method 2. Students apply for a student card and use the card to enter and exit.
3.2.cookie
Client technology, that is, the status (data) is saved on the client, which is the way the student card enters the campus.
The server returns (unlimited number) cookies to the client. A cookie is a key-value pair.
The carriers of cookies during the interaction between client and server are request and response.
public class DemoServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Cookie[] cookies=request.getCookies();
if(cookies!=null){
for(Cookie cookie:cookies) {
if("LastLoginTime".equals(cookie.getName())) {
System.out.println("Last access time:" + cookie.getValue());
}
}
}else{
System.out.println("This is the first time to log in!");
}
Cookie cookie=new Cookie("LastLoginTime",System.currentTimeMillis() + "");
cookie.setMaxAge(60*60*24);//Set the validity period to one day
response.addCookie(cookie);
}
}
3.3.session
Server technology, that is, the state (data) is saved on the server side, which is the way the roster enters the campus. Like cookies, the carrier of session during the interaction between client and server is also request and response.
Generation of session:
The session is not automatically created when the client accesses the server, but must be generated by specifying the API:
request.getSession()
Destruction of session:
- session.invalidate()
- The two requests before and after exceeded the life cycle time specified by the session.
In addition, the session will not be destroyed. The reason why I usually feel that the session will be destroyed when the browser is closed is because if the browser has a session on the server before, it will re-create it after closing the browser and then reopening the browser. The session overwrites the old session, so it feels like the session is destroyed after closing the browser.
Use of session:
Since the entire browser shares the data in the session, the session can play a role similar to the context object sharing data.
The unique identity of the session is sessionID, and the sessionID will be automatically encapsulated into a cookie and returned.
This is why, when you open the browser, there will be a cookie in the http request response.
4. Authentication and authorization
4.1.Token
Token, also called “token”, is a credential that verifies a user’s identity. The composition of the token is arbitrary, as long as it can identify the user’s identity.
Token workflow:
The client sends a request to the server, and after receiving it, the server generates a token and returns it to the client. After that, any authentication of the client is based on the token.
4.2.JWT
JWT, Json web token, is a universal token standard based on json. Token is arbitrary in nature. JWT standardizes the format of token.
JWT stipulates that the token consists of three parts:
- header
The header carries two pieces of information:
- Declare the type, that is, declare that this is jwt
- Declare the encryption algorithm. The default encryption algorithm is HMAC SHA256.
- payload
Payload, where valid information (data information) is stored.
- signature
The visa can be used to verify the integrity of the entire token and whether it has been tampered with. It consists of three parts:
- header (after base64)
- payload (after base64)
- secretprivate key
4.3.oauth
OAUTH, Open Authorization, is an open authorization protocol that provides a secure, open and simple standard for the authorization of user resources. The purpose is to allow third parties to have limited access to the user’s data and not be able to access the user’s core information.
For example, using WeChat or QQ as an account to log in on a third-party website uses the oauth protocol, which only returns user name, avatar and other information to the third party, but does not return core data such as secrets to the third party.