Class DigestAuthenticator
- java.lang.Object
-
- org.apache.catalina.util.LifecycleBase
-
- org.apache.catalina.util.LifecycleMBeanBase
-
- org.apache.catalina.valves.ValveBase
-
- org.apache.catalina.authenticator.AuthenticatorBase
-
- org.apache.catalina.authenticator.DigestAuthenticator
-
- All Implemented Interfaces:
RegistrationListener
,javax.management.MBeanRegistration
,Authenticator
,Contained
,JmxEnabled
,Lifecycle
,Valve
public class DigestAuthenticator extends AuthenticatorBase
An Authenticator and Valve implementation of HTTP DIGEST Authentication (see RFC 2069).- Author:
- Craig R. McClanahan, Remy Maucherat
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
DigestAuthenticator.DigestInfo
static class
DigestAuthenticator.NonceInfo
-
Nested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase
AuthenticatorBase.AllowCorsPreflight
-
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
-
Field Summary
Fields Modifier and Type Field Description protected java.lang.String
key
Private key.protected long
lastTimestamp
The last timestamp used to generate a nonce.protected java.lang.Object
lastTimestampLock
protected int
nonceCacheSize
Maximum number of server nonces to keep in the cache.protected int
nonceCountWindowSize
The window size to use to track seen nonce count values for a given nonce.protected java.util.Map<java.lang.String,DigestAuthenticator.NonceInfo>
nonces
List of server nonce values currently being trackedprotected long
nonceValidity
How long server nonces are valid for in milliseconds.protected java.lang.String
opaque
Opaque string.protected static java.lang.String
QOP
Tomcat's DIGEST implementation only supports auth quality of protection.protected boolean
validateUri
Should the URI be validated as required by RFC2617?-
Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase
alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, jaspicCallbackHandlerClass, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sendAuthInfoResponseHeaders, sessionIdGenerator, sm, sso
-
Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next
-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
-
Constructor Summary
Constructors Constructor Description DigestAuthenticator()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
doAuthenticate(Request request, HttpServletResponse response)
Authenticate the user making this request, based on the specified login configuration.protected java.lang.String
generateNonce(Request request)
Generate a unique token.protected java.lang.String
getAuthMethod()
java.lang.String
getKey()
int
getNonceCacheSize()
int
getNonceCountWindowSize()
long
getNonceValidity()
java.lang.String
getOpaque()
protected boolean
isPreemptiveAuthPossible(Request request)
Can the authenticator perform preemptive authentication for the given request?boolean
isValidateUri()
protected static java.lang.String
removeQuotes(java.lang.String quotedString)
Removes the quotes on a string.protected static java.lang.String
removeQuotes(java.lang.String quotedString, boolean quotesRequired)
Removes the quotes on a string.protected void
setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, java.lang.String nonce, boolean isNonceStale)
Generates the WWW-Authenticate header.void
setKey(java.lang.String key)
void
setNonceCacheSize(int nonceCacheSize)
void
setNonceCountWindowSize(int nonceCountWindowSize)
void
setNonceValidity(long nonceValidity)
void
setOpaque(java.lang.String opaque)
void
setValidateUri(boolean validateUri)
protected void
startInternal()
Start this component and implement the requirements ofLifecycleBase.startInternal()
.-
Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase
allowCorsPreflightBypass, associate, authenticate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isContinuationRequired, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, stopInternal
-
Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString
-
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
-
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
-
-
-
Field Detail
-
QOP
protected static final java.lang.String QOP
Tomcat's DIGEST implementation only supports auth quality of protection.- See Also:
- Constant Field Values
-
nonces
protected java.util.Map<java.lang.String,DigestAuthenticator.NonceInfo> nonces
List of server nonce values currently being tracked
-
lastTimestamp
protected long lastTimestamp
The last timestamp used to generate a nonce. Each nonce should get a unique timestamp.
-
lastTimestampLock
protected final java.lang.Object lastTimestampLock
-
nonceCacheSize
protected int nonceCacheSize
Maximum number of server nonces to keep in the cache. If not specified, the default value of 1000 is used.
-
nonceCountWindowSize
protected int nonceCountWindowSize
The window size to use to track seen nonce count values for a given nonce. If not specified, the default of 100 is used.
-
key
protected java.lang.String key
Private key.
-
nonceValidity
protected long nonceValidity
How long server nonces are valid for in milliseconds. Defaults to 5 minutes.
-
opaque
protected java.lang.String opaque
Opaque string.
-
validateUri
protected boolean validateUri
Should the URI be validated as required by RFC2617? Can be disabled in reverse proxies where the proxy has modified the URI.
-
-
Method Detail
-
getNonceCountWindowSize
public int getNonceCountWindowSize()
-
setNonceCountWindowSize
public void setNonceCountWindowSize(int nonceCountWindowSize)
-
getNonceCacheSize
public int getNonceCacheSize()
-
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize)
-
getKey
public java.lang.String getKey()
-
setKey
public void setKey(java.lang.String key)
-
getNonceValidity
public long getNonceValidity()
-
setNonceValidity
public void setNonceValidity(long nonceValidity)
-
getOpaque
public java.lang.String getOpaque()
-
setOpaque
public void setOpaque(java.lang.String opaque)
-
isValidateUri
public boolean isValidateUri()
-
setValidateUri
public void setValidateUri(boolean validateUri)
-
doAuthenticate
protected boolean doAuthenticate(Request request, HttpServletResponse response) throws java.io.IOException
Authenticate the user making this request, based on the specified login configuration. Returntrue
if any specified constraint has been satisfied, orfalse
if we have created a response challenge already.- Specified by:
doAuthenticate
in classAuthenticatorBase
- Parameters:
request
- Request we are processingresponse
- Response we are creating- Returns:
true
if the the user was authenticated, otherwisefalse
, in which case an authentication challenge will have been written to the response- Throws:
java.io.IOException
- if an input/output error occurs
-
getAuthMethod
protected java.lang.String getAuthMethod()
- Specified by:
getAuthMethod
in classAuthenticatorBase
-
removeQuotes
protected static java.lang.String removeQuotes(java.lang.String quotedString, boolean quotesRequired)
Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.- Parameters:
quotedString
- The quoted stringquotesRequired
-true
if quotes were required- Returns:
- The unquoted string
-
removeQuotes
protected static java.lang.String removeQuotes(java.lang.String quotedString)
Removes the quotes on a string.- Parameters:
quotedString
- The quoted string- Returns:
- The unquoted string
-
generateNonce
protected java.lang.String generateNonce(Request request)
Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" time-stamp ":" private-key ) ).- Parameters:
request
- HTTP Servlet request- Returns:
- The generated nonce
-
setAuthenticateHeader
protected void setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, java.lang.String nonce, boolean isNonceStale)
Generates the WWW-Authenticate header.The header MUST follow this template :
WWW-Authenticate = "WWW-Authenticate" ":" "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ digest-opaque ] |[ stale ] | [ algorithm ] ) realm = "realm" "=" realm-value realm-value = quoted-string domain = "domain" "=" <"> 1#URI <"> nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | token )
- Parameters:
request
- HTTP Servlet requestresponse
- HTTP Servlet responsenonce
- nonce tokenisNonceStale
-true
to add a stale parameter
-
isPreemptiveAuthPossible
protected boolean isPreemptiveAuthPossible(Request request)
Description copied from class:AuthenticatorBase
Can the authenticator perform preemptive authentication for the given request?- Overrides:
isPreemptiveAuthPossible
in classAuthenticatorBase
- Parameters:
request
- The request to check for credentials- Returns:
true
if preemptive authentication is possible, otherwisefalse
-
startInternal
protected void startInternal() throws LifecycleException
Description copied from class:AuthenticatorBase
Start this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classAuthenticatorBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
-