org.apache.catalina.authenticator
Class DigestAuthenticator

java.lang.Object
  org.apache.catalina.util.LifecycleBase
      org.apache.catalina.util.LifecycleMBeanBase
          org.apache.catalina.valves.ValveBase
              org.apache.catalina.authenticator.AuthenticatorBase
                  org.apache.catalina.authenticator.DigestAuthenticator

All Implemented Interfaces:

MBeanRegistration, Authenticator, Contained, Lifecycle, Valve

public class DigestAuthenticator
extends AuthenticatorBase

An Authenticator and Valve implementation of HTTP DIGEST Authentication (see RFC 2069).

Version:

$Id: DigestAuthenticator.java 1443407 2013-02-07 11:03:34Z markt $

Author:

Craig R. McClanahan, Remy Maucherat

Field Summary

protected static String	info Descriptive information about this implementation.
protected String	key Private key.
protected long	lastTimestamp The last timestamp used to generate a nonce.
protected Object	lastTimestampLock
protected static MD5Encoder	md5Encoder Deprecated. Unused - will be removed in Tomcat 8.0.x
protected static MessageDigest	md5Helper Deprecated. Unused - will be removed in Tomcat 8.0.x onwards
protected int	nonceCacheSize Maximum number of server nonces to keep in the cache.
protected int	nonceCountWindowSize The window size to use to track seen nonce count values for a given nonce.
protected Map<String,org.apache.catalina.authenticator.DigestAuthenticator.NonceInfo>	nonces List of server nonce values currently being tracked
protected long	nonceValidity How long server nonces are valid for in milliseconds.
protected String	opaque Opaque string.
protected static String	QOP Tomcat's DIGEST implementation only supports auth quality of protection.
protected boolean	validateUri Should the URI be validated as required by RFC2617?

Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase

alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sessionIdGenerator, sm, sso

Fields inherited from class org.apache.catalina.valves.ValveBase

asyncSupported, container, containerLog, next

Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase

mserver

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

Constructor Summary

DigestAuthenticator()

Method Summary

boolean	authenticate(Request request, HttpServletResponse response, LoginConfig config) Authenticate the user making this request, based on the specified login configuration.
protected String	generateNonce(Request request) Generate a unique token.
protected String	getAuthMethod()
String	getInfo() Return descriptive information about this Valve implementation.
String	getKey()
int	getNonceCacheSize()
int	getNonceCountWindowSize()
long	getNonceValidity()
String	getOpaque()
boolean	isValidateUri()
protected String	parseUsername(String authorization) Deprecated. Unused. Will be removed in Tomcat 8.0.x
protected static String	removeQuotes(String quotedString) Removes the quotes on a string.
protected static String	removeQuotes(String quotedString, boolean quotesRequired) Removes the quotes on a string.
protected void	setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, LoginConfig config, String nonce, boolean isNonceStale) Generates the WWW-Authenticate header.
void	setKey(String key)
void	setNonceCacheSize(int nonceCacheSize)
void	setNonceCountWindowSize(int nonceCountWindowSize)
void	setNonceValidity(long nonceValidity)
void	setOpaque(String opaque)
void	setValidateUri(boolean validateUri)
protected void	startInternal() Start this component and implement the requirements of LifecycleBase.startInternal().

Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase

associate, authenticate, doLogin, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, login, logout, reauthenticateFromSSO, register, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, stopInternal

Methods inherited from class org.apache.catalina.valves.ValveBase

backgroundProcess, event, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString

Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister

Methods inherited from class org.apache.catalina.util.LifecycleBase

addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

md5Encoder

@Deprecated
protected static final MD5Encoder md5Encoder

Deprecated. Unused - will be removed in Tomcat 8.0.x

The MD5 helper object for this class.

info

protected static final String info

Descriptive information about this implementation.

See Also:

Constant Field Values

QOP

protected static final String QOP

Tomcat's DIGEST implementation only supports auth quality of protection.

See Also:

Constant Field Values

md5Helper

@Deprecated
protected static volatile MessageDigest md5Helper

Deprecated. Unused - will be removed in Tomcat 8.0.x onwards

MD5 message digest provider.

nonces

protected Map<String,org.apache.catalina.authenticator.DigestAuthenticator.NonceInfo> nonces

List of server nonce values currently being tracked

lastTimestamp

protected long lastTimestamp

The last timestamp used to generate a nonce. Each nonce should get a unique timestamp.

lastTimestampLock

protected final Object lastTimestampLock

nonceCacheSize

protected int nonceCacheSize

Maximum number of server nonces to keep in the cache. If not specified, the default value of 1000 is used.

nonceCountWindowSize

protected int nonceCountWindowSize

The window size to use to track seen nonce count values for a given nonce. If not specified, the default of 100 is used.

key

protected String key

Private key.

nonceValidity

protected long nonceValidity

How long server nonces are valid for in milliseconds. Defaults to 5 minutes.

opaque

protected String opaque

Opaque string.

validateUri

protected boolean validateUri

Should the URI be validated as required by RFC2617? Can be disabled in reverse proxies where the proxy has modified the URI.

Constructor Detail

DigestAuthenticator

public DigestAuthenticator()

Method Detail

getInfo

public String getInfo()

Return descriptive information about this Valve implementation.

Specified by:

getInfo in interface Valve

Overrides:

getInfo in class AuthenticatorBase

getNonceCountWindowSize

public int getNonceCountWindowSize()

setNonceCountWindowSize

public void setNonceCountWindowSize(int nonceCountWindowSize)

getNonceCacheSize

public int getNonceCacheSize()

setNonceCacheSize

public void setNonceCacheSize(int nonceCacheSize)

getKey

public String getKey()

setKey

public void setKey(String key)

getNonceValidity

public long getNonceValidity()

setNonceValidity

public void setNonceValidity(long nonceValidity)

getOpaque

public String getOpaque()

setOpaque

public void setOpaque(String opaque)

isValidateUri

public boolean isValidateUri()

setValidateUri

public void setValidateUri(boolean validateUri)

authenticate

public boolean authenticate(Request request,
                            HttpServletResponse response,
                            LoginConfig config)
                     throws IOException

Authenticate the user making this request, based on the specified login configuration. Return true if any specified constraint has been satisfied, or false if we have created a response challenge already.

Specified by:

authenticate in interface Authenticator

Specified by:

authenticate in class AuthenticatorBase

Parameters:

request - Request we are processing

response - Response we are creating

config - Login configuration describing how authentication should be performed

Throws:

IOException - if an input/output error occurs

getAuthMethod

protected String getAuthMethod()

Specified by:

getAuthMethod in class AuthenticatorBase

parseUsername

@Deprecated
protected String parseUsername(String authorization)

Deprecated. Unused. Will be removed in Tomcat 8.0.x

Parse the username from the specified authorization string. If none can be identified, return null

Parameters:

authorization - Authorization string to be parsed

removeQuotes

protected static String removeQuotes(String quotedString,
                                     boolean quotesRequired)

Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.

removeQuotes

protected static String removeQuotes(String quotedString)

Removes the quotes on a string.

generateNonce

protected String generateNonce(Request request)

Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" time-stamp ":" private-key ) ).

Parameters:

request - HTTP Servlet request

setAuthenticateHeader

protected void setAuthenticateHeader(HttpServletRequest request,
                                     HttpServletResponse response,
                                     LoginConfig config,
                                     String nonce,
                                     boolean isNonceStale)

Generates the WWW-Authenticate header.

The header MUST follow this template :

      WWW-Authenticate    = "WWW-Authenticate" ":" "Digest"
                            digest-challenge

      digest-challenge    = 1#( realm | [ domain ] | nonce |
                  [ digest-opaque ] |[ stale ] | [ algorithm ] )

      realm               = "realm" "=" realm-value
      realm-value         = quoted-string
      domain              = "domain" "=" <"> 1#URI <">
      nonce               = "nonce" "=" nonce-value
      nonce-value         = quoted-string
      opaque              = "opaque" "=" quoted-string
      stale               = "stale" "=" ( "true" | "false" )
      algorithm           = "algorithm" "=" ( "MD5" | token )
 

Parameters:

request - HTTP Servlet request

response - HTTP Servlet response

config - Login configuration describing how authentication should be performed

nonce - nonce token

startInternal

protected void startInternal()
                      throws LifecycleException

Description copied from class: AuthenticatorBase

Start this component and implement the requirements of LifecycleBase.startInternal().

Overrides:

startInternal in class AuthenticatorBase

Throws:

LifecycleException - if this component detects a fatal error that prevents this component from being used