Package org.jboss.security.auth.callback
Class RFC2617Digest
- java.lang.Object
-
- org.jboss.security.auth.callback.RFC2617Digest
-
- All Implemented Interfaces:
DigestCallback
public class RFC2617Digest extends Object implements DigestCallback
An implementation of the DigestCallback that support the http digest auth as described in RFC2617 (http://www.ietf.org/rfc/rfc2617.txt). 3.2.2.1 Request-Digest If the "qop" value is "auth" or "auth-int": request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <"> See below for the definitions for A1 and A2. 3.2.2.2 A1 If the "algorithm" directive's value is "MD5" or is unspecified, then A1 is: A1 = unq(username-value) ":" unq(realm-value) ":" passwd where passwd = < user's password > If the "algorithm" directive's value is "MD5-sess", then A1 is calculated only once - on the first request by the client following receipt of a WWW-Authenticate challenge from the server. It uses the server nonce from that challenge, and the first client nonce value to construct A1 as follows: A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value) This creates a 'session key' for the authentication of subsequent requests and responses which is different for each "authentication session", thus limiting the amount of material hashed with any one key. (Note: see further discussion of the authentication session in section 3.3.) Because the server need only use the hash of the user credentials in order to create the A1 value, this construction could be used in conjunction with a third party authentication service so that the web server would not need the actual password value. The specification of such a protocol is beyond the scope of this specification. 3.2.2.3 A2 If the "qop" directive's value is "auth" or is unspecified, then A2 is: A2 = Method ":" digest-uri-value If the "qop" value is "auth-int", then A2 is: A2 = Method ":" digest-uri-value ":" H(entity-body) 3.2.2.4 Directive values and quoted-string Note that the value of many of the directives, such as "username- value", are defined as a "quoted-string". However, the "unq" notation indicates that surrounding quotation marks are removed in forming the string A1. Thus if the Authorization header includes the fields username="Mufasa", realm=myhost@testrealm.com and the user Mufasa has password "Circle Of Life" then H(A1) would be H(Mufasa:myhost@testrealm.com:Circle Of Life) with no quotation marks in the digested string. No white space is allowed in any of the strings to which the digest function H() is applied unless that white space exists in the quoted strings or entity body whose contents make up the string to be digested. For example, the string A1 illustrated above must be Mufasa:myhost@testrealm.com:Circle Of Life with no white space on either side of the colons, but with the white space between the words used in the password value. Likewise, the other strings digested by H() must not have white space on either side of the colons which delimit their fields unless that white space was in the quoted strings or entity body being digested. Also note that if integrity protection is applied (qop=auth-int), the H(entity-body) is the hash of the entity body, not the message body - it is computed before any transfer encoding is applied by the sender and after it has been removed by the recipient. Note that this includes multipart boundaries and embedded headers in each part of any multipart content-type.- Author:
- Scott.Stark@jboss.org
-
-
Field Summary
Fields Modifier and Type Field Description static String
A2HASH
An explicit A2 digeststatic String
ALGORITHM
A string indicating a pair of algorithms used to produce the digest and a checksum.static String
AUTH_PARAM
This directive allows for future extensions.static String
CNONCE
This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field.static String
DIGEST_URI
The URI from Request-URI of the Request-Line; duplicated here because proxies are allowed to change the Request-Line in transit.static String
METHOD
The http method typestatic String
NONCE
A server-specified data string which MUST be different each time a digest-challenge is sent as part of initial authentication.static String
NONCE_COUNT
This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field.static String
QOP
Indicates what "quality of protection" the client has applied to the message.static String
REALM
String which can enable users to know which username and password to use, in case they might have different ones for different servers.static String
USERNAME
The user's name in the specified realm.
-
Constructor Summary
Constructors Constructor Description RFC2617Digest()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description String
getInfoDigest(MessageDigest digest)
void
init(Map options)
Pass through access to the login module options.static void
main(String[] args)
Compute thevoid
postDigest(MessageDigest digest)
Post-hash callout afer the password has been added to allow for content after the password has been added.void
preDigest(MessageDigest digest)
Pre-hash callout to allow for content before the password.
-
-
-
Field Detail
-
REALM
public static final String REALM
String which can enable users to know which username and password to use, in case they might have different ones for different servers.- See Also:
- Constant Field Values
-
USERNAME
public static final String USERNAME
The user's name in the specified realm.- See Also:
- Constant Field Values
-
DIGEST_URI
public static final String DIGEST_URI
The URI from Request-URI of the Request-Line; duplicated here because proxies are allowed to change the Request-Line in transit.- See Also:
- Constant Field Values
-
NONCE
public static final String NONCE
A server-specified data string which MUST be different each time a digest-challenge is sent as part of initial authentication. It is recommended that this string be base64 or hexadecimal data. Note that since the string is passed as a quoted string, the double-quote character is not allowed unless escaped (see section 7.2). The contents of the nonce are implementation dependent. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy. The nonce is opaque to the client. This directive is required and MUST appear exactly once; if not present, or if multiple instances are present, the client should abort the authentication exchange.- See Also:
- Constant Field Values
-
CNONCE
public static final String CNONCE
This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection. See the descriptions below of the calculation of the response- digest and request-digest values.- See Also:
- Constant Field Values
-
NONCE_COUNT
public static final String NONCE_COUNT
This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. For example, in the first request sent in response to a given nonce value, the client sends "nc=00000001". The purpose of this directive is to allow the server to detect request replays by maintaining its own copy of this count - if the same nc-value is seen twice, then the request is a replay. See the description below of the construction of the request-digest value.- See Also:
- Constant Field Values
-
QOP
public static final String QOP
Indicates what "quality of protection" the client has applied to the message. If present, its value MUST be one of the alternatives the server indicated it supports in the WWW-Authenticate header. These values affect the computation of the request-digest. Note that this is a single token, not a quoted list of alternatives as in WWW- Authenticate. This directive is optional in order to preserve backward compatibility with a minimal implementation of RFC 2069 [6], but SHOULD be used if the server indicated that qop is supported by providing a qop directive in the WWW-Authenticate header field.- See Also:
- Constant Field Values
-
ALGORITHM
public static final String ALGORITHM
A string indicating a pair of algorithms used to produce the digest and a checksum. If this is not present it is assumed to be "MD5". If the algorithm is not understood, the challenge should be ignored (and a different one used, if there is more than one). In this document the string obtained by applying the digest algorithm to the data "data" with secret "secret" will be denoted by KD(secret, data), and the string obtained by applying the checksum algorithm to the data "data" will be denoted H(data). The notation unq(X) means the value of the quoted-string X without the surrounding quotes.- See Also:
- Constant Field Values
-
AUTH_PARAM
public static final String AUTH_PARAM
This directive allows for future extensions. Any unrecognized directive MUST be ignored.- See Also:
- Constant Field Values
-
METHOD
public static final String METHOD
The http method type- See Also:
- Constant Field Values
-
A2HASH
public static final String A2HASH
An explicit A2 digest- See Also:
- Constant Field Values
-
-
Method Detail
-
init
public void init(Map options)
Description copied from interface:DigestCallback
Pass through access to the login module options. When coming from a login module this includes the following keys: javax.security.auth.login.name - for the username javax.security.auth.login.password - for the String password- Specified by:
init
in interfaceDigestCallback
-
preDigest
public void preDigest(MessageDigest digest)
Description copied from interface:DigestCallback
Pre-hash callout to allow for content before the password. Any content should be added using the MessageDigest update methods.- Specified by:
preDigest
in interfaceDigestCallback
- Parameters:
digest
- - the security digest being used for the one-way hash
-
postDigest
public void postDigest(MessageDigest digest)
Description copied from interface:DigestCallback
Post-hash callout afer the password has been added to allow for content after the password has been added. Any content should be added using the MessageDigest update methods.- Specified by:
postDigest
in interfaceDigestCallback
- Parameters:
digest
- - the security digest being used for the one-way hash
-
getInfoDigest
public String getInfoDigest(MessageDigest digest)
-
main
public static void main(String[] args) throws NoSuchAlgorithmException
Compute the- Parameters:
args
-- Throws:
NoSuchAlgorithmException
-
-