Class DigestAuthenticator
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.AuthenticatorBase
org.apache.catalina.authenticator.DigestAuthenticator
- All Implemented Interfaces:
MBeanRegistration
,RegistrationListener
,Authenticator
,Contained
,JmxEnabled
,Lifecycle
,Valve
An Authenticator and Valve implementation of HTTP DIGEST Authentication, as outlined in RFC 7616: "HTTP
Digest Authentication"
- Author:
- Craig R. McClanahan, Remy Maucherat
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
This enum exists because RFC 7616 and Java use different names for some digests.static class
static class
Nested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase
AuthenticatorBase.AllowCorsPreflight
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionprotected String
Private key.protected long
The last timestamp used to generate a nonce.protected final Object
protected int
Maximum number of server nonces to keep in the cache.protected int
The window size to use to track seen nonce count values for a given nonce.protected Map<String,
DigestAuthenticator.NonceInfo> List of server nonce values currently being trackedprotected long
How long server nonces are valid for in milliseconds.protected String
Opaque string.protected static final String
Tomcat's DIGEST implementation only supports auth quality of protection.protected boolean
Should the URI be validated as required by RFC2617?Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase
alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, jaspicCallbackHandlerClass, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sendAuthInfoResponseHeaders, sessionIdGenerator, sm, sso
Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
doAuthenticate
(Request request, HttpServletResponse response) Authenticate the user making this request, based on the specified login configuration.protected String
generateNonce
(Request request) Generate a unique token.protected String
Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.getKey()
int
int
long
protected boolean
isPreemptiveAuthPossible
(Request request) Can the authenticator perform preemptive authentication for the given request?boolean
protected static String
removeQuotes
(String quotedString) Deprecated.This will be removed in Tomcat 11 onwards.protected static String
removeQuotes
(String quotedString, boolean quotesRequired) Deprecated.This will be removed in Tomcat 11 onwards.void
setAlgorithms
(String algorithmsString) protected void
setAuthenticateHeader
(HttpServletRequest request, HttpServletResponse response, String nonce, boolean isNonceStale) Generates the WWW-Authenticate header(s) as per RFC 7616.void
void
setNonceCacheSize
(int nonceCacheSize) void
setNonceCountWindowSize
(int nonceCountWindowSize) void
setNonceValidity
(long nonceValidity) void
void
setValidateUri
(boolean validateUri) protected void
Start this component and implement the requirements ofLifecycleBase.startInternal()
.Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase
allowCorsPreflightBypass, associate, authenticate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isContinuationRequired, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, stopInternal
Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
QOP
Tomcat's DIGEST implementation only supports auth quality of protection.- See Also:
-
nonces
List of server nonce values currently being tracked -
lastTimestamp
protected long lastTimestampThe last timestamp used to generate a nonce. Each nonce should get a unique timestamp. -
lastTimestampLock
-
nonceCacheSize
protected int nonceCacheSizeMaximum number of server nonces to keep in the cache. If not specified, the default value of 1000 is used. -
nonceCountWindowSize
protected int nonceCountWindowSizeThe window size to use to track seen nonce count values for a given nonce. If not specified, the default of 100 is used. -
key
Private key. -
nonceValidity
protected long nonceValidityHow long server nonces are valid for in milliseconds. Defaults to 5 minutes. -
opaque
Opaque string. -
validateUri
protected boolean validateUriShould the URI be validated as required by RFC2617? Can be disabled in reverse proxies where the proxy has modified the URI.
-
-
Constructor Details
-
DigestAuthenticator
public DigestAuthenticator()
-
-
Method Details
-
getNonceCountWindowSize
public int getNonceCountWindowSize() -
setNonceCountWindowSize
public void setNonceCountWindowSize(int nonceCountWindowSize) -
getNonceCacheSize
public int getNonceCacheSize() -
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize) -
getKey
-
setKey
-
getNonceValidity
public long getNonceValidity() -
setNonceValidity
public void setNonceValidity(long nonceValidity) -
getOpaque
-
setOpaque
-
isValidateUri
public boolean isValidateUri() -
setValidateUri
public void setValidateUri(boolean validateUri) -
getAlgorithms
-
setAlgorithms
-
doAuthenticate
Authenticate the user making this request, based on the specified login configuration. Returntrue
if any specified constraint has been satisfied, orfalse
if we have created a response challenge already.- Specified by:
doAuthenticate
in classAuthenticatorBase
- Parameters:
request
- Request we are processingresponse
- Response we are creating- Returns:
true
if the the user was authenticated, otherwisefalse
, in which case an authentication challenge will have been written to the response- Throws:
IOException
- if an input/output error occurs
-
getAuthMethod
Description copied from class:AuthenticatorBase
Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.- Specified by:
getAuthMethod
in classAuthenticatorBase
- Returns:
- the authentication method, which is vendor-specific and not defined by HttpServletRequest.
-
removeQuotes
Deprecated.This will be removed in Tomcat 11 onwards. Unused.Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.- Parameters:
quotedString
- The quoted stringquotesRequired
-true
if quotes were required- Returns:
- The unquoted string
-
removeQuotes
Deprecated.This will be removed in Tomcat 11 onwards. Unused.Removes the quotes on a string.- Parameters:
quotedString
- The quoted string- Returns:
- The unquoted string
-
generateNonce
Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( NONCE_DIGEST ( client-IP ":" time-stamp ":" private-key ) ).- Parameters:
request
- HTTP Servlet request- Returns:
- The generated nonce
-
setAuthenticateHeader
protected void setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, String nonce, boolean isNonceStale) Generates the WWW-Authenticate header(s) as per RFC 7616.- Parameters:
request
- HTTP Servlet requestresponse
- HTTP Servlet responsenonce
- nonce tokenisNonceStale
-true
to add a stale parameter
-
isPreemptiveAuthPossible
Description copied from class:AuthenticatorBase
Can the authenticator perform preemptive authentication for the given request?- Overrides:
isPreemptiveAuthPossible
in classAuthenticatorBase
- Parameters:
request
- The request to check for credentials- Returns:
true
if preemptive authentication is possible, otherwisefalse
-
startInternal
Description copied from class:ValveBase
Start this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classAuthenticatorBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-