org.acegisecurity.ui.digestauth
Class DigestProcessingFilter

java.lang.Object
  extended by org.acegisecurity.ui.digestauth.DigestProcessingFilter
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware

public class DigestProcessingFilter
extends java.lang.Object
implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware

Processes a HTTP request's Digest authorization headers, putting the result into the SecurityContextHolder.

For a detailed background on what this filter is designed to process, refer to RFC 2617 (which superseded RFC 2069, although this filter support clients that implement either RFC 2617 or RFC 2069).

This filter can be used to provide Digest authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).

This Digest implementation has been designed to avoid needing to store session state between invocations. All session management information is stored in the "nonce" that is sent to the client by the DigestProcessingFilterEntryPoint.

If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder.

If authentication fails, an AuthenticationEntryPoint implementation is called. This must always be DigestProcessingFilterEntryPoint, which will prompt the user to authenticate again via Digest authentication.

Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest authentication over Basic authentication, including commentary on the limitations that it still imposes.

Do not use this class directly. Instead configure web.xml to use the FilterToBeanProxy.


Field Summary
protected  org.springframework.context.support.MessageSourceAccessor messages
           
 
Constructor Summary
DigestProcessingFilter()
           
 
Method Summary
 void afterPropertiesSet()
           
 void destroy()
           
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
           
static java.lang.String encodePasswordInA1Format(java.lang.String username, java.lang.String realm, java.lang.String password)
           
static java.lang.String generateDigest(boolean passwordAlreadyEncoded, java.lang.String username, java.lang.String realm, java.lang.String password, java.lang.String httpMethod, java.lang.String uri, java.lang.String qop, java.lang.String nonce, java.lang.String nc, java.lang.String cnonce)
          Computes the response portion of a Digest authentication header.
 DigestProcessingFilterEntryPoint getAuthenticationEntryPoint()
           
 UserCache getUserCache()
           
 UserDetailsService getUserDetailsService()
           
 void init(javax.servlet.FilterConfig ignored)
           
 void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
           
 void setAuthenticationEntryPoint(DigestProcessingFilterEntryPoint authenticationEntryPoint)
           
 void setMessageSource(org.springframework.context.MessageSource messageSource)
           
 void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded)
           
 void setUserCache(UserCache userCache)
           
 void setUserDetailsService(UserDetailsService userDetailsService)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

messages

protected org.springframework.context.support.MessageSourceAccessor messages
Constructor Detail

DigestProcessingFilter

public DigestProcessingFilter()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception
Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
java.lang.Exception

destroy

public void destroy()
Specified by:
destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
Specified by:
doFilter in interface javax.servlet.Filter
Throws:
java.io.IOException
javax.servlet.ServletException

encodePasswordInA1Format

public static java.lang.String encodePasswordInA1Format(java.lang.String username,
                                                        java.lang.String realm,
                                                        java.lang.String password)

generateDigest

public static java.lang.String generateDigest(boolean passwordAlreadyEncoded,
                                              java.lang.String username,
                                              java.lang.String realm,
                                              java.lang.String password,
                                              java.lang.String httpMethod,
                                              java.lang.String uri,
                                              java.lang.String qop,
                                              java.lang.String nonce,
                                              java.lang.String nc,
                                              java.lang.String cnonce)
                                       throws java.lang.IllegalArgumentException
Computes the response portion of a Digest authentication header. Both the server and user agent should compute the response independently. Provided as a static method to simplify the coding of user agents.

Parameters:
passwordAlreadyEncoded - true if the password argument is already encoded in the correct format. False if it is plain text.
username - the user's login name.
realm - the name of the realm.
password - the user's password in plaintext or ready-encoded.
httpMethod - the HTTP request method (GET, POST etc.)
uri - the request URI.
qop - the qop directive, or null if not set.
nonce - the nonce supplied by the server
nc - the "nonce-count" as defined in RFC 2617.
cnonce - opaque string supplied by the client when qop is set.
Returns:
the MD5 of the digest authentication response, encoded in hex
Throws:
java.lang.IllegalArgumentException - if the supplied qop value is unsupported.

getAuthenticationEntryPoint

public DigestProcessingFilterEntryPoint getAuthenticationEntryPoint()

getUserCache

public UserCache getUserCache()

getUserDetailsService

public UserDetailsService getUserDetailsService()

init

public void init(javax.servlet.FilterConfig ignored)
          throws javax.servlet.ServletException
Specified by:
init in interface javax.servlet.Filter
Throws:
javax.servlet.ServletException

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setAuthenticationEntryPoint

public void setAuthenticationEntryPoint(DigestProcessingFilterEntryPoint authenticationEntryPoint)

setMessageSource

public void setMessageSource(org.springframework.context.MessageSource messageSource)
Specified by:
setMessageSource in interface org.springframework.context.MessageSourceAware

setPasswordAlreadyEncoded

public void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded)

setUserCache

public void setUserCache(UserCache userCache)

setUserDetailsService

public void setUserDetailsService(UserDetailsService userDetailsService)


Copyright © 2004-2012 Interface21, Inc. All Rights Reserved.