Class DigestAuthenticator
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.AuthenticatorBase
org.apache.catalina.authenticator.DigestAuthenticator
- All Implemented Interfaces:
MBeanRegistration,RegistrationListener,Authenticator,Contained,JmxEnabled,Lifecycle,Valve
An Authenticator and Valve implementation of HTTP DIGEST
Authentication (see RFC 2069).
- Author:
- Craig R. McClanahan, Remy Maucherat
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classstatic classNested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase
AuthenticatorBase.AllowCorsPreflightNested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected StringPrivate key.protected longThe last timestamp used to generate a nonce.protected final Objectprotected intMaximum number of server nonces to keep in the cache.protected intThe window size to use to track seen nonce count values for a given nonce.protected Map<String,DigestAuthenticator.NonceInfo> List of server nonce values currently being trackedprotected longHow long server nonces are valid for in milliseconds.protected StringOpaque string.protected static final StringTomcat's DIGEST implementation only supports auth quality of protection.protected booleanShould the URI be validated as required by RFC2617?Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase
alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, jaspicCallbackHandlerClass, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sendAuthInfoResponseHeaders, sessionIdGenerator, sm, ssoFields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, nextFields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserverFields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected booleandoAuthenticate(Request request, HttpServletResponse response) Authenticate the user making this request, based on the specified login configuration.protected StringgenerateNonce(Request request) Generate a unique token.protected StringgetKey()intintlongbooleanprotected static StringremoveQuotes(String quotedString) Removes the quotes on a string.protected static StringremoveQuotes(String quotedString, boolean quotesRequired) Removes the quotes on a string.protected voidsetAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, String nonce, boolean isNonceStale) Generates the WWW-Authenticate header.voidvoidsetNonceCacheSize(int nonceCacheSize) voidsetNonceCountWindowSize(int nonceCountWindowSize) voidsetNonceValidity(long nonceValidity) voidvoidsetValidateUri(boolean validateUri) protected voidStart this component and implement the requirements ofLifecycleBase.startInternal().Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase
allowCorsPreflightBypass, associate, authenticate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getRequestCertificates, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isContinuationRequired, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, stopInternalMethods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toStringMethods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregisterMethods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
QOP
Tomcat's DIGEST implementation only supports auth quality of protection.- See Also:
-
nonces
List of server nonce values currently being tracked -
lastTimestamp
protected long lastTimestampThe last timestamp used to generate a nonce. Each nonce should get a unique timestamp. -
lastTimestampLock
-
nonceCacheSize
protected int nonceCacheSizeMaximum number of server nonces to keep in the cache. If not specified, the default value of 1000 is used. -
nonceCountWindowSize
protected int nonceCountWindowSizeThe window size to use to track seen nonce count values for a given nonce. If not specified, the default of 100 is used. -
key
Private key. -
nonceValidity
protected long nonceValidityHow long server nonces are valid for in milliseconds. Defaults to 5 minutes. -
opaque
Opaque string. -
validateUri
protected boolean validateUriShould the URI be validated as required by RFC2617? Can be disabled in reverse proxies where the proxy has modified the URI.
-
-
Constructor Details
-
DigestAuthenticator
public DigestAuthenticator()
-
-
Method Details
-
getNonceCountWindowSize
public int getNonceCountWindowSize() -
setNonceCountWindowSize
public void setNonceCountWindowSize(int nonceCountWindowSize) -
getNonceCacheSize
public int getNonceCacheSize() -
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize) -
getKey
-
setKey
-
getNonceValidity
public long getNonceValidity() -
setNonceValidity
public void setNonceValidity(long nonceValidity) -
getOpaque
-
setOpaque
-
isValidateUri
public boolean isValidateUri() -
setValidateUri
public void setValidateUri(boolean validateUri) -
doAuthenticate
Authenticate the user making this request, based on the specified login configuration. Returntrueif any specified constraint has been satisfied, orfalseif we have created a response challenge already.- Specified by:
doAuthenticatein classAuthenticatorBase- Parameters:
request- Request we are processingresponse- Response we are creating- Returns:
trueif the the user was authenticated, otherwisefalse, in which case an authentication challenge will have been written to the response- Throws:
IOException- if an input/output error occurs
-
getAuthMethod
- Specified by:
getAuthMethodin classAuthenticatorBase
-
removeQuotes
Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.- Parameters:
quotedString- The quoted stringquotesRequired-trueif quotes were required- Returns:
- The unquoted string
-
removeQuotes
Removes the quotes on a string.- Parameters:
quotedString- The quoted string- Returns:
- The unquoted string
-
generateNonce
Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" time-stamp ":" private-key ) ).- Parameters:
request- HTTP Servlet request- Returns:
- The generated nonce
-
setAuthenticateHeader
protected void setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, String nonce, boolean isNonceStale) Generates the WWW-Authenticate header.The header MUST follow this template :
WWW-Authenticate = "WWW-Authenticate" ":" "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ digest-opaque ] |[ stale ] | [ algorithm ] ) realm = "realm" "=" realm-value realm-value = quoted-string domain = "domain" "=" <"> 1#URI <"> nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | token )- Parameters:
request- HTTP Servlet requestresponse- HTTP Servlet responsenonce- nonce tokenisNonceStale-trueto add a stale parameter
-
startInternal
Description copied from class:AuthenticatorBaseStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
startInternalin classAuthenticatorBase- Throws:
LifecycleException- if this component detects a fatal error that prevents this component from being used
-