org.apache.catalina.authenticator
Class DigestAuthenticator

java.lang.Object
  extended byorg.apache.catalina.valves.ValveBase
      extended byorg.apache.catalina.authenticator.AuthenticatorBase
          extended byorg.apache.catalina.authenticator.DigestAuthenticator
All Implemented Interfaces:
Authenticator, Contained, Lifecycle, Valve

public class DigestAuthenticator
extends AuthenticatorBase

An Authenticator and Valve implementation of HTTP DIGEST Authentication (see RFC 2069).

Version:
$Revision: 1.15 $ $Date: 2004/08/26 21:27:39 $
Author:
Craig R. McClanahan, Remy Maucherat

Field Summary
protected static java.lang.String info
          Descriptive information about this implementation.
protected  java.lang.String key
          Private key.
protected static MD5Encoder md5Encoder
          The MD5 helper object for this class.
protected static java.security.MessageDigest md5Helper
          MD5 message digest provider.
protected  long nOnceTimeout
          No once expiration (in millisecond).
protected  java.util.Hashtable nOnceTokens
          No once hashtable.
protected  int nOnceUses
          No once expiration after a specified number of uses.
protected static int TIMEOUT_INFINITE
          Indicates that no once tokens are used only once.
protected static int USE_NEVER_EXPIRES
          Indicates that no once tokens are used only once.
protected static int USE_ONCE
          Indicates that no once tokens are used only once.
 
Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase
algorithm, cache, context, debug, DEFAULT_ALGORITHM, digest, disableProxyCaching, entropy, lifecycle, random, randomClass, SESSION_ID_BYTES, sm, sso, started
 
Fields inherited from class org.apache.catalina.valves.ValveBase
container
 
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, START_EVENT, STOP_EVENT
 
Constructor Summary
DigestAuthenticator()
           
 
Method Summary
 boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config)
          Authenticate the user making this request, based on the specified login configuration.
protected static java.security.Principal findPrincipal(javax.servlet.http.HttpServletRequest request, java.lang.String authorization, Realm realm)
          Parse the specified authorization credentials, and return the associated Principal that these credentials authenticate (if any) from the specified Realm.
protected  java.lang.String generateNOnce(javax.servlet.http.HttpServletRequest request)
          Generate a unique token.
 java.lang.String getInfo()
          Return descriptive information about this Valve implementation.
protected  java.lang.String parseUsername(java.lang.String authorization)
          Parse the username from the specified authorization string.
protected static java.lang.String removeQuotes(java.lang.String quotedString)
          Removes the quotes on a string.
protected static java.lang.String removeQuotes(java.lang.String quotedString, boolean quotesRequired)
          Removes the quotes on a string.
protected  void setAuthenticateHeader(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, LoginConfig config, java.lang.String nOnce)
          Generates the WWW-Authenticate header.
 
Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase
accessControl, addLifecycleListener, associate, checkUserData, findConstraint, findLifecycleListeners, generateSessionId, getAlgorithm, getCache, getContainer, getDebug, getDigest, getDisableProxyCaching, getEntropy, getRandom, getRandomClass, getSession, getSession, invoke, log, log, reauthenticateFromSSO, register, removeLifecycleListener, setAlgorithm, setCache, setContainer, setDebug, setDisableProxyCaching, setEntropy, setRandomClass, start, stop
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

USE_ONCE

protected static final int USE_ONCE
Indicates that no once tokens are used only once.

See Also:
Constant Field Values

USE_NEVER_EXPIRES

protected static final int USE_NEVER_EXPIRES
Indicates that no once tokens are used only once.

See Also:
Constant Field Values

TIMEOUT_INFINITE

protected static final int TIMEOUT_INFINITE
Indicates that no once tokens are used only once.

See Also:
Constant Field Values

md5Encoder

protected static final MD5Encoder md5Encoder
The MD5 helper object for this class.


info

protected static final java.lang.String info
Descriptive information about this implementation.

See Also:
Constant Field Values

md5Helper

protected static java.security.MessageDigest md5Helper
MD5 message digest provider.


nOnceTokens

protected java.util.Hashtable nOnceTokens
No once hashtable.


nOnceTimeout

protected long nOnceTimeout
No once expiration (in millisecond). A shorter amount would mean a better security level (since the token is generated more often), but at the expense of a bigger server overhead.


nOnceUses

protected int nOnceUses
No once expiration after a specified number of uses. A lower number would produce more overhead, since a token would have to be generated more often, but would be more secure.


key

protected java.lang.String key
Private key.

Constructor Detail

DigestAuthenticator

public DigestAuthenticator()
Method Detail

getInfo

public java.lang.String getInfo()
Return descriptive information about this Valve implementation.

Specified by:
getInfo in interface Valve
Overrides:
getInfo in class AuthenticatorBase

authenticate

public boolean authenticate(HttpRequest request,
                            HttpResponse response,
                            LoginConfig config)
                     throws java.io.IOException
Authenticate the user making this request, based on the specified login configuration. Return true if any specified constraint has been satisfied, or false if we have created a response challenge already.

Specified by:
authenticate in class AuthenticatorBase
Parameters:
request - Request we are processing
response - Response we are creating
config - Login configuration describing how authentication should be performed
Throws:
java.io.IOException - if an input/output error occurs

findPrincipal

protected static java.security.Principal findPrincipal(javax.servlet.http.HttpServletRequest request,
                                                       java.lang.String authorization,
                                                       Realm realm)
Parse the specified authorization credentials, and return the associated Principal that these credentials authenticate (if any) from the specified Realm. If there is no such Principal, return null.

Parameters:
request - HTTP servlet request
authorization - Authorization credentials from this request
realm - Realm used to authenticate Principals

parseUsername

protected java.lang.String parseUsername(java.lang.String authorization)
Parse the username from the specified authorization string. If none can be identified, return null

Parameters:
authorization - Authorization string to be parsed

removeQuotes

protected static java.lang.String removeQuotes(java.lang.String quotedString,
                                               boolean quotesRequired)
Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.


removeQuotes

protected static java.lang.String removeQuotes(java.lang.String quotedString)
Removes the quotes on a string.


generateNOnce

protected java.lang.String generateNOnce(javax.servlet.http.HttpServletRequest request)
Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" time-stamp ":" private-key ) ).

Parameters:
request - HTTP Servlet request

setAuthenticateHeader

protected void setAuthenticateHeader(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     LoginConfig config,
                                     java.lang.String nOnce)
Generates the WWW-Authenticate header.

The header MUST follow this template :

      WWW-Authenticate    = "WWW-Authenticate" ":" "Digest"
                            digest-challenge

      digest-challenge    = 1#( realm | [ domain ] | nOnce |
                  [ digest-opaque ] |[ stale ] | [ algorithm ] )

      realm               = "realm" "=" realm-value
      realm-value         = quoted-string
      domain              = "domain" "=" <"> 1#URI <">
      nonce               = "nonce" "=" nonce-value
      nonce-value         = quoted-string
      opaque              = "opaque" "=" quoted-string
      stale               = "stale" "=" ( "true" | "false" )
      algorithm           = "algorithm" "=" ( "MD5" | token )
 

Parameters:
request - HTTP Servlet request
response - HTTP Servlet response
config - Login configuration describing how authentication should be performed
nOnce - nonce token


Copyright 2000-2002 Apache Software Foundation. All Rights Reserved.