Overview Package Class Use Tree Deprecated Index Help

Prev Class Next Class Frames NoFrames All Classes

Summary: Nested Field Constr Method Detail: Field Constr Method

Brazil 2.3

sunlabs.brazil.handler

Class DigestAuthHandler

public class DigestAuthHandler extends Object implements Handler

Perform digest authentication. This is a minimal implementation of RFC 2617 The "optional" qos parameter is required by IE (only qop="auth" is supported). The "password" file is read at startup time, either as a resource or from the file system, and may contain either plain text or digested passwords (see main() below to digest passwords).

Future enhancements

Sample auth request header 
  
 WWW-Authenticate: Digest
    realm="myrealm",
    qop="auth",					[req'd for IE]
    nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
    opaque="5ccc069c403ebaf9f0171e9517f40e41",	[optional]
    domain="/foo"					[optional]
Sample client return header 
  Authorization: Digest
    username="name",
    realm="foo@bar",
    nonce="mynonce10",
    uri="/da.html",
    response="d58f3f9fa7554da651d3f1901d22ea04",
    qop=auth,
    nc=00000001,
    cnonce="b6ac242cb324c38a"

 response algorithm:
 
 A1 = md5(user:realm:pass)
 A2 = md5(method:uri)
 response=md5(A1:nonce:nonceCount:cnonce:qop:A2)
 - all MD5's are represented as hex: [0-9a-f]
 - all quotes (") are removed before digesting
prefix, suffix, glob, match
Specify which url's this handler applies to.
realm
The string presented to the user for validation. This must also match any "digested" passwords.
credentials
A java-properties format file of credentials. The keys are the users, the values are either the "A1" values described above, or the user's password.
isDynamic
If set (to anything), when authentication for a user is requested that is not in the credentials table and the credentials table has changed since last read, the table is re-read, in case the user has been added since the credentials were loaded.
allowBogusIE
Internet Explorer does not use the query parameters as part of the "uri" calculation. This is a bug (and a security risk, as it allows replay attacts to other than the url requested). If this variable is set, then it allows IE to work in this case.
username
If the user was validated, this field is filled out by the handler.
Method Summary
static StringcomputeA1(String user, String realm, String pass)
Compute the A1 parameter as per the RFC.
static StringcomputeA2(String method, String uri)
Compute the A2 parameter as per the RFC.
static StringcomputeResponse(String A1, String A2, String nonce, String nc, String cnonce, String qop)
Compute the expected client response attribute value.
static PropertiesextractAuth(String header)
Parse an auth header, placing the results into a Properties object.
static StringgenResponseHeader(String request, String user, String pass, String method, String uri, String nc, String cnonce)
Given the "WWW-Authenticate" header value and additional client info, generate the value of the "Authorization" header.
booleaninit(Server server, String propsPrefix)
static booleanisMd5Digest(String s)
See if a string is a valid md5 digest.
static voidmain(String[] args)
Convert a "plain text" password file into a digested one.
static Stringmd5Digest(String s)
Compute the md5 digest of a string, returning the digest as a hex string.
booleanrespond(Request request)
static booleanresponseOk(String A1, String method, Properties h)
Check the digest response string.

Method Detail

computeA1

public static String computeA1(String user, String realm, String pass)
Compute the A1 parameter as per the RFC.

computeA2

public static String computeA2(String method, String uri)
Compute the A2 parameter as per the RFC.

computeResponse

public static String computeResponse(String A1, String A2, String nonce, String nc, String cnonce, String qop)
Compute the expected client response attribute value.

extractAuth

public static Properties extractAuth(String header)
Parse an auth header, placing the results into a Properties object. Format is: Digest key=value, key=value, ... values may be in "'s.

genResponseHeader

public static String genResponseHeader(String request, String user, String pass, String method, String uri, String nc, String cnonce)
Given the "WWW-Authenticate" header value and additional client info, generate the value of the "Authorization" header. The "request" should contain "realm", "nonce", "qop" and optionally "opaque". This is a convenience method for clients to use to athenticate to this server implementation.

Parameters: request The string value of the "WWW-Authenticate" header from the server user The userid pass The password associated with this user method "GET", "POST", etc. uri The requested url (e.g. "/index.html") nc The "nonce count", or number of times the client has used The "nonce" presented by the server (e.g. "0000001"). cnonce An opaque value provided by the client

init

public boolean init(Server server, String propsPrefix)

isMd5Digest

public static boolean isMd5Digest(String s)
See if a string is a valid md5 digest.

main

public static void main(String[] args)
Convert a "plain text" password file into a digested one. Any existing digests are left alone. 
 Usage: DigestAuthHandler [realm]
The stdin, in Properties format, is emitted on stdout with all plain-text passwords digested. If an entry is already digested, it is left alone.

Note, this handler will except either plaintext or digested passwords in the credentials file.

md5Digest

public static String md5Digest(String s)
Compute the md5 digest of a string, returning the digest as a hex string.

respond

public boolean respond(Request request)

responseOk

public static boolean responseOk(String A1, String method, Properties h)
Check the digest response string.

Parameters: A1 The "A1" hash from the RFC method The http request method. h Properties containing all the name=value options from the http authentiation header field (see extractAuth).

Overview Package Class Use Tree Deprecated Index Help

Prev Class Next Class Frames NoFrames All Classes

Summary: Nested Field Constr Method Detail: Field Constr Method

Brazil 2.3