Package org.eclipse.jetty.security.authentication

Class DigestAuthenticator

    • Field Detail

      • LOG

        private static final Logger LOG

      • _random

        private final java.security.SecureRandom _random

      • _maxNonceAgeMs

        private long _maxNonceAgeMs

      • _maxNC

        private int _maxNC

    • Constructor Detail

      • DigestAuthenticator

        public DigestAuthenticator()

    • Method Detail

      • getMaxNonceCount

        public int getMaxNonceCount()

      • setMaxNonceCount

        public void setMaxNonceCount​(int maxNC)

      • getMaxNonceAge

        public long getMaxNonceAge()

      • setMaxNonceAge

        public void setMaxNonceAge​(long maxNonceAgeInMillis)

      • getAuthMethod

        public java.lang.String getAuthMethod()
        Returns:
        The name of the authentication method

      • secureResponse

        public boolean secureResponse​(javax.servlet.ServletRequest req,
                              javax.servlet.ServletResponse res,
                              boolean mandatory,
                              Authentication.User validatedUser)
                       throws ServerAuthException
        Description copied from interface: Authenticator
        is response secure
        Parameters:
        req - the request
        res - the response
        mandatory - if security is mandator
        validatedUser - the user that was validated
        Returns:
        true if response is secure
        Throws:
        ServerAuthException - if unable to test response

      • validateRequest

        public Authentication validateRequest​(javax.servlet.ServletRequest req,
                                      javax.servlet.ServletResponse res,
                                      boolean mandatory)
                               throws ServerAuthException
        Description copied from interface: Authenticator
        Validate a request
        Parameters:
        req - The request
        res - The response
        mandatory - True if authentication is mandatory.
        Returns:
        An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.
        Throws:
        ServerAuthException - if unable to validate request

      • login

        public UserIdentity login​(java.lang.String username,
                          java.lang.Object credentials,
                          javax.servlet.ServletRequest request)
        Description copied from class: LoginAuthenticator
        If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
        Overrides:
        login in class LoginAuthenticator
        Parameters:
        username - the username of the client to be authenticated
        credentials - the user's credential
        request - the inbound request that needs authentication

      • newNonce

        public java.lang.String newNonce​(Request request)

      • checkNonce

        private int checkNonce​(DigestAuthenticator.Digest digest,
                       Request request)
        Parameters:
        digest - the digest data to check
        request - the request object
        Returns:
        -1 for a bad nonce, 0 for a stale none, 1 for a good nonce