|
Glassfish example source code file (DigestAuthenticator.java)
The Glassfish DigestAuthenticator.java source code/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development * and Distribution License("CDDL") (collectively, the "License"). You * may not use this file except in compliance with the License. You can * obtain a copy of the License at * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html * or packager/legal/LICENSE.txt. See the License for the specific * language governing permissions and limitations under the License. * * When distributing the software, include this License Header Notice in each * file and include the License file at packager/legal/LICENSE.txt. * * GPL Classpath Exception: * Oracle designates this particular file as subject to the "Classpath" * exception as provided by Oracle in the GPL Version 2 section of the License * file that accompanied this code. * * Modifications: * If applicable, add the following below the License Header, with the fields * enclosed by brackets [] replaced by your own identifying information: * "Portions Copyright [year] [name of copyright owner]" * * Contributor(s): * If you wish your version of this file to be governed by only the CDDL or * only the GPL Version 2, indicate your decision by adding "[Contributor] * elects to include this software in this distribution under the [CDDL or GPL * Version 2] license." If you don't indicate a single choice of license, a * recipient has the option to distribute your version of this file under * either the CDDL, the GPL Version 2 or to extend the choice of license to * its licensees as provided above. However, if you add GPL Version 2 code * and therefore, elected the GPL Version 2 license, then the option applies * only if the new code is made subject to such option by the copyright * holder. * * * This file incorporates work covered by the following copyright and * permission notice: * * Copyright 2004 The Apache Software Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.catalina.authenticator; import org.apache.catalina.HttpRequest; import org.apache.catalina.HttpResponse; import org.apache.catalina.Realm; import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.util.DigestEncoder; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.util.Hashtable; import java.util.StringTokenizer; /** * An <b>Authenticator and Valve implementation of HTTP DIGEST * Authentication (see RFC 2069). * * @author Craig R. McClanahan * @author Remy Maucherat * @version $Revision: 1.6 $ $Date: 2007/04/17 21:33:22 $ */ public class DigestAuthenticator extends AuthenticatorBase { // -------------------------------------------------------------- Constants /** * Indicates that no once tokens are used only once. */ protected static final int USE_ONCE = 1; /** * Indicates that no once tokens are used only once. */ protected static final int USE_NEVER_EXPIRES = Integer.MAX_VALUE; /** * Indicates that no once tokens are used only once. */ protected static final int TIMEOUT_INFINITE = Integer.MAX_VALUE; /** * The MD5 helper object for this class. */ protected static final DigestEncoder digestEncoder = new DigestEncoder(); /** * Descriptive information about this implementation. */ protected static final String info = "org.apache.catalina.authenticator.DigestAuthenticator/1.0"; /** * The default message digest algorithm to use if we cannot use * the requested one. */ protected static final String DEFAULT_ALGORITHM = "MD5"; // ----------------------------------------------------------- Constructors public DigestAuthenticator() { super(); } // ----------------------------------------------------- Static Variables /** * The message digest algorithm to be used when generating session * identifiers. This must be an algorithm supported by the * <code>java.security.MessageDigest class on your platform. */ protected static volatile String algorithm = DEFAULT_ALGORITHM; /** * MD5 message digest provider. */ protected volatile static MessageDigest messageDigest; // ----------------------------------------------------- Instance Variables /** * No once hashtable. */ protected Hashtable nOnceTokens = new Hashtable(); /** * No once expiration (in millisecond). A shorter amount would mean a * better security level (since the token is generated more often), but at * the expense of a bigger server overhead. */ protected long nOnceTimeout = TIMEOUT_INFINITE; /** * No once expiration after a specified number of uses. A lower number * would produce more overhead, since a token would have to be generated * more often, but would be more secure. */ protected int nOnceUses = USE_ONCE; /** * Private key. */ protected String key = "Catalina"; // ------------------------------------------------------------- Properties /** * Return the message digest algorithm for this Manager. */ public static String getAlgorithm() { return algorithm; } /** * Set the message digest algorithm for this Manager. * * @param algorithm The new message digest algorithm */ public static synchronized void setAlgorithm(String alg) { algorithm = alg; // reset the messageDigest messageDigest = null; } /** * Return descriptive information about this Valve implementation. */ public String getInfo() { return (info); } // --------------------------------------------------------- Public Methods /** * Authenticate the user making this request, based on the specified * login configuration. Return <code>true if any specified * constraint has been satisfied, or <code>false if we have * created a response challenge already. * * @param request Request we are processing * @param response Response we are creating * @param config Login configuration describing how authentication * should be performed * * @exception IOException if an input/output error occurs */ public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) return (true); // Validate any credentials already included with this request HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); String authorization = request.getAuthorization(); if (authorization != null) { principal = context.getRealm().authenticate(hreq); if (principal != null) { String username = parseUsername(authorization); register(request, response, principal, Constants.DIGEST_METHOD, username, null); String ssoId = (String) request.getNote( Constants.REQ_SSOID_NOTE); if (ssoId != null) { getSession(request, true); } return (true); } } // Send an "unauthorized" response and an appropriate challenge // Next, generate a nOnce token (that is a token which is supposed // to be unique). String nOnce = generateNOnce(hreq); setAuthenticateHeader(hreq, hres, config, nOnce); hres.sendError(HttpServletResponse.SC_UNAUTHORIZED); // hres.flushBuffer(); return (false); } // ------------------------------------------------------ Protected Methods /** * Parse the specified authorization credentials, and return the * associated Principal that these credentials authenticate (if any) * from the specified Realm. If there is no such Principal, return * <code>null. * * @param request HTTP servlet request * @param authorization Authorization credentials from this request * @param realm Realm used to authenticate Principals */ protected static Principal findPrincipal(HttpServletRequest request, String authorization, Realm realm) { //System.out.println("Authorization token : " + authorization); // Validate the authorization credentials format if (authorization == null) return (null); if (!authorization.startsWith("Digest ")) return (null); authorization = authorization.substring(7).trim(); StringTokenizer commaTokenizer = new StringTokenizer(authorization, ","); String userName = null; String realmName = null; String nOnce = null; String nc = null; String cnonce = null; String qop = null; String uri = null; String response = null; String opaque = null; String method = request.getMethod(); while (commaTokenizer.hasMoreTokens()) { String currentToken = commaTokenizer.nextToken(); int equalSign = currentToken.indexOf('='); if (equalSign < 0) return null; String currentTokenName = currentToken.substring(0, equalSign).trim(); String currentTokenValue = currentToken.substring(equalSign + 1).trim(); if ("username".equals(currentTokenName)) userName = removeQuotes(currentTokenValue); if ("realm".equals(currentTokenName)) realmName = removeQuotes(currentTokenValue, true); if ("nonce".equals(currentTokenName)) nOnce = removeQuotes(currentTokenValue); if ("nc".equals(currentTokenName)) nc = currentTokenValue; if ("cnonce".equals(currentTokenName)) cnonce = removeQuotes(currentTokenValue); if ("qop".equals(currentTokenName)) qop = removeQuotes(currentTokenValue); if ("uri".equals(currentTokenName)) uri = removeQuotes(currentTokenValue); if ("response".equals(currentTokenName)) response = removeQuotes(currentTokenValue); } if ( (userName == null) || (realmName == null) || (nOnce == null) || (uri == null) || (response == null) ) return null; // Second MD5 digest used to calculate the digest : // MD5(Method + ":" + uri) String a2 = method + ":" + uri; //System.out.println("A2:" + a2); byte[] buffer = digest(a2.getBytes()); char[] md5a2 = digestEncoder.encode(buffer); char[] responseCharArray = ((response != null) ? response.toCharArray() : null); return (realm.authenticate(userName, responseCharArray, nOnce, nc, cnonce, qop, realmName, md5a2)); } /** * Parse the username from the specified authorization string. If none * can be identified, return <code>null * * @param authorization Authorization string to be parsed */ protected String parseUsername(String authorization) { //System.out.println("Authorization token : " + authorization); // Validate the authorization credentials format if (authorization == null) return (null); if (!authorization.startsWith("Digest ")) return (null); authorization = authorization.substring(7).trim(); StringTokenizer commaTokenizer = new StringTokenizer(authorization, ","); while (commaTokenizer.hasMoreTokens()) { String currentToken = commaTokenizer.nextToken(); int equalSign = currentToken.indexOf('='); if (equalSign < 0) return null; String currentTokenName = currentToken.substring(0, equalSign).trim(); String currentTokenValue = currentToken.substring(equalSign + 1).trim(); if ("username".equals(currentTokenName)) return (removeQuotes(currentTokenValue)); } return (null); } /** * Removes the quotes on a string. */ protected static String removeQuotes(String quotedString, boolean quotesRequired) { //support both quoted and non-quoted if (quotedString.length() > 0 && quotedString.charAt(0) != '"' && !quotesRequired) { return quotedString; } else if (quotedString.length() > 2) { return quotedString.substring(1, quotedString.length() - 1); } else { return new String(); } } /** * Removes the quotes on a string. */ protected static String removeQuotes(String quotedString) { return removeQuotes(quotedString, false); } /** * Generate a unique token. The token is generated according to the * following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" * time-stamp ":" private-key ) ). * * @param request HTTP Servlet request */ protected String generateNOnce(HttpServletRequest request) { long currentTime = System.currentTimeMillis(); String nOnceValue = request.getRemoteAddr() + ":" + currentTime + ":" + key; byte[] buffer = digest(nOnceValue.getBytes()); nOnceValue = String.valueOf(digestEncoder.encode(buffer)); // Updating the value in the no once hashtable nOnceTokens.put(nOnceValue, Long.valueOf(currentTime + nOnceTimeout)); return nOnceValue; } /** * Generates the WWW-Authenticate header. * <p> * The header MUST follow this template : * <pre> * WWW-Authenticate = "WWW-Authenticate" ":" "Digest" * digest-challenge * * digest-challenge = 1#( realm | [ domain ] | nOnce | * [ digest-opaque ] |[ stale ] | [ algorithm ] ) * * realm = "realm" "=" realm-value * realm-value = quoted-string * domain = "domain" "=" <"> 1#URI <"> * nonce = "nonce" "=" nonce-value * nonce-value = quoted-string * opaque = "opaque" "=" quoted-string * stale = "stale" "=" ( "true" | "false" ) * algorithm = "algorithm" "=" ( "MD5" | token ) * </pre> * * @param request HTTP Servlet request * @param response HTTP Servlet response * @param config Login configuration describing how authentication * should be performed * @param nOnce nonce token */ protected void setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, LoginConfig config, String nOnce) { // Get the realm name String realmName = config.getRealmName(); if (realmName == null) realmName = REALM_NAME; byte[] buffer = digest(nOnce.getBytes()); String authenticateHeader = "Digest realm=\"" + realmName + "\", " + "qop=\"auth\", nonce=\"" + nOnce + "\", " + "opaque=\"" + String.valueOf(digestEncoder.encode(buffer)) + "\""; response.setHeader("WWW-Authenticate", authenticateHeader); } protected static synchronized MessageDigest getMessageDigest() { if (messageDigest == null) { try { messageDigest = MessageDigest.getInstance(algorithm); } catch(NoSuchAlgorithmException e) { throw new IllegalStateException( algorithm + " digest algorithm not available", e); } } return messageDigest; } protected static byte[] digest(byte[] data) { byte[] buffer = null; MessageDigest md = getMessageDigest(); synchronized(md) { buffer = md.digest(data); } return buffer; } } Other Glassfish examples (source code examples)Here is a short list of links related to this Glassfish DigestAuthenticator.java source code file: |
... this post is sponsored by my books ... | |
#1 New Release! |
FP Best Seller |
Copyright 1998-2021 Alvin Alexander, alvinalexander.com
All Rights Reserved.
A percentage of advertising revenue from
pages under the /java/jwarehouse
URI on this website is
paid back to open source projects.