-
DigestScheme
-
LOG: Log
-
HEXADECIMAL: char[]
-
complete: boolean
-
NC: String
-
QOP_MISSING: int
-
QOP_AUTH_INT: int
-
QOP_AUTH: int
-
qopVariant: int
-
cnonce: String
-
formatter: ParameterFormatter
-
DigestScheme(): void
-
getID(): String
-
DigestScheme(String): void
-
processChallenge(String): void
-
isComplete(): boolean
-
getSchemeName(): String
-
isConnectionBased(): boolean
-
authenticate(Credentials, String, String): String
-
authenticate(Credentials, HttpMethod): String
-
createDigest(String, String): String
-
createDigestHeader(String, String): String
-
getQopVariantString(): String
-
encode(byte[]): String
-
createCnonce(): String
-
/*
* $Header: /home/jerenkrantz/tmp/commons/commons-convert/cvs/home/cvs/jakarta-commons//httpclient/src/java/org/apache/commons/httpclient/auth/DigestScheme.java,v 1.22 2004/12/30 11:01:27 oglueck Exp $
* $Revision: 480424 $
* $Date: 2006-11-29 06:56:49 +0100 (Wed, 29 Nov 2006) $
*
* ====================================================================
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.commons.httpclient.auth;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import java.util.StringTokenizer;
import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HttpClientError;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.NameValuePair;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.util.EncodingUtil;
import org.apache.commons.httpclient.util.ParameterFormatter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
Digest authentication scheme as defined in RFC 2617.
Both MD5 (default) and MD5-sess are supported.
Currently only qop=auth or no qop is supported. qop=auth-int
is unsupported. If auth and auth-int are provided, auth is
used.
Credential charset is configured via the credential
charset parameter. Since the digest username is included as clear text in the generated Authentication header, the charset of the username must be compatible with the http element
charset.
TODO: make class more stateful regarding repeated authentication requests
Author: Remy Maucherat, Rodney Waldhoff, Jeff Dever, Ortwin Gl?ck, Sean C. Sullivan, Adrian Sutton, Mike Bowler, Oleg Kalnichevski
/**
* <p>
* Digest authentication scheme as defined in RFC 2617.
* Both MD5 (default) and MD5-sess are supported.
* Currently only qop=auth or no qop is supported. qop=auth-int
* is unsupported. If auth and auth-int are provided, auth is
* used.
* </p>
* <p>
* Credential charset is configured via the
* {@link org.apache.commons.httpclient.params.HttpMethodParams#CREDENTIAL_CHARSET credential
* charset} parameter. Since the digest username is included as clear text in the generated
* Authentication header, the charset of the username must be compatible with the
* {@link org.apache.commons.httpclient.params.HttpMethodParams#HTTP_ELEMENT_CHARSET http element
* charset}.
* </p>
* TODO: make class more stateful regarding repeated authentication requests
*
* @author <a href="mailto:remm@apache.org">Remy Maucherat</a>
* @author Rodney Waldhoff
* @author <a href="mailto:jsdever@apache.org">Jeff Dever</a>
* @author Ortwin Gl?ck
* @author Sean C. Sullivan
* @author <a href="mailto:adrian@ephox.com">Adrian Sutton</a>
* @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike Bowler</a>
* @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
*/
public class DigestScheme extends RFC2617Scheme {
Log object for this class. /** Log object for this class. */
private static final Log LOG = LogFactory.getLog(DigestScheme.class);
Hexa values used when creating 32 character long digest in HTTP DigestScheme
in case of authentication.
See Also: - encode(byte[])
/**
* Hexa values used when creating 32 character long digest in HTTP DigestScheme
* in case of authentication.
*
* @see #encode(byte[])
*/
private static final char[] HEXADECIMAL = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
'e', 'f'
};
Whether the digest authentication process is complete /** Whether the digest authentication process is complete */
private boolean complete;
//TODO: supply a real nonce-count, currently a server will interprete a repeated request as a replay
private static final String NC = "00000001"; //nonce-count is always 1
private static final int QOP_MISSING = 0;
private static final int QOP_AUTH_INT = 1;
private static final int QOP_AUTH = 2;
private int qopVariant = QOP_MISSING;
private String cnonce;
private final ParameterFormatter formatter;
Default constructor for the digest authetication scheme.
Since: 3.0
/**
* Default constructor for the digest authetication scheme.
*
* @since 3.0
*/
public DigestScheme() {
super();
this.complete = false;
this.formatter = new ParameterFormatter();
}
Gets an ID based upon the realm and the nonce value. This ensures that requests
to the same realm with different nonce values will succeed. This differentiation
allows servers to request re-authentication using a fresh nonce value.
Deprecated: no longer used
/**
* Gets an ID based upon the realm and the nonce value. This ensures that requests
* to the same realm with different nonce values will succeed. This differentiation
* allows servers to request re-authentication using a fresh nonce value.
*
* @deprecated no longer used
*/
public String getID() {
String id = getRealm();
String nonce = getParameter("nonce");
if (nonce != null) {
id += "-" + nonce;
}
return id;
}
Constructor for the digest authetication scheme.
Params: - challenge – authentication challenge
Throws: - MalformedChallengeException – is thrown if the authentication challenge
is malformed
Deprecated: Use parameterless constructor and AuthScheme.processChallenge(String) method
/**
* Constructor for the digest authetication scheme.
*
* @param challenge authentication challenge
*
* @throws MalformedChallengeException is thrown if the authentication challenge
* is malformed
*
* @deprecated Use parameterless constructor and {@link AuthScheme#processChallenge(String)}
* method
*/
public DigestScheme(final String challenge)
throws MalformedChallengeException {
this();
processChallenge(challenge);
}
Processes the Digest challenge.
Params: - challenge – the challenge string
Throws: - MalformedChallengeException – is thrown if the authentication challenge
is malformed
Since: 3.0
/**
* Processes the Digest challenge.
*
* @param challenge the challenge string
*
* @throws MalformedChallengeException is thrown if the authentication challenge
* is malformed
*
* @since 3.0
*/
public void processChallenge(final String challenge)
throws MalformedChallengeException {
super.processChallenge(challenge);
if (getParameter("realm") == null) {
throw new MalformedChallengeException("missing realm in challange");
}
if (getParameter("nonce") == null) {
throw new MalformedChallengeException("missing nonce in challange");
}
boolean unsupportedQop = false;
// qop parsing
String qop = getParameter("qop");
if (qop != null) {
StringTokenizer tok = new StringTokenizer(qop,",");
while (tok.hasMoreTokens()) {
String variant = tok.nextToken().trim();
if (variant.equals("auth")) {
qopVariant = QOP_AUTH;
break; //that's our favourite, because auth-int is unsupported
} else if (variant.equals("auth-int")) {
qopVariant = QOP_AUTH_INT;
} else {
unsupportedQop = true;
LOG.warn("Unsupported qop detected: "+ variant);
}
}
}
if (unsupportedQop && (qopVariant == QOP_MISSING)) {
throw new MalformedChallengeException("None of the qop methods is supported");
}
cnonce = createCnonce();
this.complete = true;
}
Tests if the Digest authentication process has been completed.
Returns: true if Digest authorization has been processed,
false otherwise. Since: 3.0
/**
* Tests if the Digest authentication process has been completed.
*
* @return <tt>true</tt> if Digest authorization has been processed,
* <tt>false</tt> otherwise.
*
* @since 3.0
*/
public boolean isComplete() {
String s = getParameter("stale");
if ("true".equalsIgnoreCase(s)) {
return false;
} else {
return this.complete;
}
}
Returns textual designation of the digest authentication scheme.
Returns: digest
/**
* Returns textual designation of the digest authentication scheme.
*
* @return <code>digest</code>
*/
public String getSchemeName() {
return "digest";
}
Returns false. Digest authentication scheme is request based.
Returns: false. Since: 3.0
/**
* Returns <tt>false</tt>. Digest authentication scheme is request based.
*
* @return <tt>false</tt>.
*
* @since 3.0
*/
public boolean isConnectionBased() {
return false;
}
Produces a digest authorization string for the given set of Credentials, method name and URI. Params: - credentials – A set of credentials to be used for athentication
- method – the name of the method that requires authorization.
- uri – The URI for which authorization is needed.
Throws: - InvalidCredentialsException – if authentication credentials
are not valid or not applicable for this authentication scheme
- AuthenticationException – if authorization string cannot
be generated due to an authentication failure
See Also: Returns: a digest authorization string Deprecated: Use authenticate(Credentials, HttpMethod)
/**
* Produces a digest authorization string for the given set of
* {@link Credentials}, method name and URI.
*
* @param credentials A set of credentials to be used for athentication
* @param method the name of the method that requires authorization.
* @param uri The URI for which authorization is needed.
*
* @throws InvalidCredentialsException if authentication credentials
* are not valid or not applicable for this authentication scheme
* @throws AuthenticationException if authorization string cannot
* be generated due to an authentication failure
*
* @return a digest authorization string
*
* @see org.apache.commons.httpclient.HttpMethod#getName()
* @see org.apache.commons.httpclient.HttpMethod#getPath()
*
* @deprecated Use {@link #authenticate(Credentials, HttpMethod)}
*/
public String authenticate(Credentials credentials, String method, String uri)
throws AuthenticationException {
LOG.trace("enter DigestScheme.authenticate(Credentials, String, String)");
UsernamePasswordCredentials usernamepassword = null;
try {
usernamepassword = (UsernamePasswordCredentials) credentials;
} catch (ClassCastException e) {
throw new InvalidCredentialsException(
"Credentials cannot be used for digest authentication: "
+ credentials.getClass().getName());
}
getParameters().put("methodname", method);
getParameters().put("uri", uri);
String digest = createDigest(
usernamepassword.getUserName(),
usernamepassword.getPassword());
return "Digest " + createDigestHeader(usernamepassword.getUserName(), digest);
}
Produces a digest authorization string for the given set of Credentials, method name and URI. Params: - credentials – A set of credentials to be used for athentication
- method – The method being authenticated
Throws: - InvalidCredentialsException – if authentication credentials
are not valid or not applicable for this authentication scheme
- AuthenticationException – if authorization string cannot
be generated due to an authentication failure
Returns: a digest authorization string Since: 3.0
/**
* Produces a digest authorization string for the given set of
* {@link Credentials}, method name and URI.
*
* @param credentials A set of credentials to be used for athentication
* @param method The method being authenticated
*
* @throws InvalidCredentialsException if authentication credentials
* are not valid or not applicable for this authentication scheme
* @throws AuthenticationException if authorization string cannot
* be generated due to an authentication failure
*
* @return a digest authorization string
*
* @since 3.0
*/
public String authenticate(Credentials credentials, HttpMethod method)
throws AuthenticationException {
LOG.trace("enter DigestScheme.authenticate(Credentials, HttpMethod)");
UsernamePasswordCredentials usernamepassword = null;
try {
usernamepassword = (UsernamePasswordCredentials) credentials;
} catch (ClassCastException e) {
throw new InvalidCredentialsException(
"Credentials cannot be used for digest authentication: "
+ credentials.getClass().getName());
}
getParameters().put("methodname", method.getName());
StringBuffer buffer = new StringBuffer(method.getPath());
String query = method.getQueryString();
if (query != null) {
if (query.indexOf("?") != 0) {
buffer.append("?");
}
buffer.append(method.getQueryString());
}
getParameters().put("uri", buffer.toString());
String charset = getParameter("charset");
if (charset == null) {
getParameters().put("charset", method.getParams().getCredentialCharset());
}
String digest = createDigest(
usernamepassword.getUserName(),
usernamepassword.getPassword());
return "Digest " + createDigestHeader(usernamepassword.getUserName(),
digest);
}
Creates an MD5 response digest.
Params: - uname – Username
- pwd – Password
- charset – The credential charset
Throws: - AuthenticationException – when MD5 is an unsupported algorithm
Returns: The created digest as string. This will be the response tag's
value in the Authentication HTTP header.
/**
* Creates an MD5 response digest.
*
* @param uname Username
* @param pwd Password
* @param charset The credential charset
*
* @return The created digest as string. This will be the response tag's
* value in the Authentication HTTP header.
* @throws AuthenticationException when MD5 is an unsupported algorithm
*/
private String createDigest(final String uname, final String pwd) throws AuthenticationException {
LOG.trace("enter DigestScheme.createDigest(String, String, Map)");
final String digAlg = "MD5";
// Collecting required tokens
String uri = getParameter("uri");
String realm = getParameter("realm");
String nonce = getParameter("nonce");
String qop = getParameter("qop");
String method = getParameter("methodname");
String algorithm = getParameter("algorithm");
// If an algorithm is not specified, default to MD5.
if (algorithm == null) {
algorithm = "MD5";
}
// If an charset is not specified, default to ISO-8859-1.
String charset = getParameter("charset");
if (charset == null) {
charset = "ISO-8859-1";
}
if (qopVariant == QOP_AUTH_INT) {
LOG.warn("qop=auth-int is not supported");
throw new AuthenticationException(
"Unsupported qop in HTTP Digest authentication");
}
MessageDigest md5Helper;
try {
md5Helper = MessageDigest.getInstance(digAlg);
} catch (Exception e) {
throw new AuthenticationException(
"Unsupported algorithm in HTTP Digest authentication: "
+ digAlg);
}
// 3.2.2.2: Calculating digest
StringBuffer tmp = new StringBuffer(uname.length() + realm.length() + pwd.length() + 2);
tmp.append(uname);
tmp.append(':');
tmp.append(realm);
tmp.append(':');
tmp.append(pwd);
// unq(username-value) ":" unq(realm-value) ":" passwd
String a1 = tmp.toString();
//a1 is suitable for MD5 algorithm
if(algorithm.equals("MD5-sess")) {
// H( unq(username-value) ":" unq(realm-value) ":" passwd )
// ":" unq(nonce-value)
// ":" unq(cnonce-value)
String tmp2=encode(md5Helper.digest(EncodingUtil.getBytes(a1, charset)));
StringBuffer tmp3 = new StringBuffer(tmp2.length() + nonce.length() + cnonce.length() + 2);
tmp3.append(tmp2);
tmp3.append(':');
tmp3.append(nonce);
tmp3.append(':');
tmp3.append(cnonce);
a1 = tmp3.toString();
} else if(!algorithm.equals("MD5")) {
LOG.warn("Unhandled algorithm " + algorithm + " requested");
}
String md5a1 = encode(md5Helper.digest(EncodingUtil.getBytes(a1, charset)));
String a2 = null;
if (qopVariant == QOP_AUTH_INT) {
LOG.error("Unhandled qop auth-int");
//we do not have access to the entity-body or its hash
//TODO: add Method ":" digest-uri-value ":" H(entity-body)
} else {
a2 = method + ":" + uri;
}
String md5a2 = encode(md5Helper.digest(EncodingUtil.getAsciiBytes(a2)));
// 3.2.2.1
String serverDigestValue;
if (qopVariant == QOP_MISSING) {
LOG.debug("Using null qop method");
StringBuffer tmp2 = new StringBuffer(md5a1.length() + nonce.length() + md5a2.length());
tmp2.append(md5a1);
tmp2.append(':');
tmp2.append(nonce);
tmp2.append(':');
tmp2.append(md5a2);
serverDigestValue = tmp2.toString();
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Using qop method " + qop);
}
String qopOption = getQopVariantString();
StringBuffer tmp2 = new StringBuffer(md5a1.length() + nonce.length()
+ NC.length() + cnonce.length() + qopOption.length() + md5a2.length() + 5);
tmp2.append(md5a1);
tmp2.append(':');
tmp2.append(nonce);
tmp2.append(':');
tmp2.append(NC);
tmp2.append(':');
tmp2.append(cnonce);
tmp2.append(':');
tmp2.append(qopOption);
tmp2.append(':');
tmp2.append(md5a2);
serverDigestValue = tmp2.toString();
}
String serverDigest =
encode(md5Helper.digest(EncodingUtil.getAsciiBytes(serverDigestValue)));
return serverDigest;
}
Creates digest-response header as defined in RFC2617.
Params: - uname – Username
- digest – The response tag's value as String.
Returns: The digest-response as String.
/**
* Creates digest-response header as defined in RFC2617.
*
* @param uname Username
* @param digest The response tag's value as String.
*
* @return The digest-response as String.
*/
private String createDigestHeader(final String uname, final String digest)
throws AuthenticationException {
LOG.trace("enter DigestScheme.createDigestHeader(String, Map, "
+ "String)");
String uri = getParameter("uri");
String realm = getParameter("realm");
String nonce = getParameter("nonce");
String opaque = getParameter("opaque");
String response = digest;
String algorithm = getParameter("algorithm");
List params = new ArrayList(20);
params.add(new NameValuePair("username", uname));
params.add(new NameValuePair("realm", realm));
params.add(new NameValuePair("nonce", nonce));
params.add(new NameValuePair("uri", uri));
params.add(new NameValuePair("response", response));
if (qopVariant != QOP_MISSING) {
params.add(new NameValuePair("qop", getQopVariantString()));
params.add(new NameValuePair("nc", NC));
params.add(new NameValuePair("cnonce", this.cnonce));
}
if (algorithm != null) {
params.add(new NameValuePair("algorithm", algorithm));
}
if (opaque != null) {
params.add(new NameValuePair("opaque", opaque));
}
StringBuffer buffer = new StringBuffer();
for (int i = 0; i < params.size(); i++) {
NameValuePair param = (NameValuePair) params.get(i);
if (i > 0) {
buffer.append(", ");
}
boolean noQuotes = "nc".equals(param.getName()) ||
"qop".equals(param.getName());
this.formatter.setAlwaysUseQuotes(!noQuotes);
this.formatter.format(buffer, param);
}
return buffer.toString();
}
private String getQopVariantString() {
String qopOption;
if (qopVariant == QOP_AUTH_INT) {
qopOption = "auth-int";
} else {
qopOption = "auth";
}
return qopOption;
}
Encodes the 128 bit (16 bytes) MD5 digest into a 32 characters long
String according to RFC 2617.
Params: - binaryData – array containing the digest
Returns: encoded MD5, or null if encoding failed
/**
* Encodes the 128 bit (16 bytes) MD5 digest into a 32 characters long
* <CODE>String</CODE> according to RFC 2617.
*
* @param binaryData array containing the digest
* @return encoded MD5, or <CODE>null</CODE> if encoding failed
*/
private static String encode(byte[] binaryData) {
LOG.trace("enter DigestScheme.encode(byte[])");
if (binaryData.length != 16) {
return null;
}
char[] buffer = new char[32];
for (int i = 0; i < 16; i++) {
int low = (int) (binaryData[i] & 0x0f);
int high = (int) ((binaryData[i] & 0xf0) >> 4);
buffer[i * 2] = HEXADECIMAL[high];
buffer[(i * 2) + 1] = HEXADECIMAL[low];
}
return new String(buffer);
}
Creates a random cnonce value based on the current time.
Throws: - HttpClientError – if MD5 algorithm is not supported.
Returns: The cnonce value as String.
/**
* Creates a random cnonce value based on the current time.
*
* @return The cnonce value as String.
* @throws HttpClientError if MD5 algorithm is not supported.
*/
public static String createCnonce() {
LOG.trace("enter DigestScheme.createCnonce()");
String cnonce;
final String digAlg = "MD5";
MessageDigest md5Helper;
try {
md5Helper = MessageDigest.getInstance(digAlg);
} catch (NoSuchAlgorithmException e) {
throw new HttpClientError(
"Unsupported algorithm in HTTP Digest authentication: "
+ digAlg);
}
cnonce = Long.toString(System.currentTimeMillis());
cnonce = encode(md5Helper.digest(EncodingUtil.getAsciiBytes(cnonce)));
return cnonce;
}
}