Package org.eclipse.jetty.security.authentication

Class DigestAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.security.authentication.DigestAuthenticator

All Implemented Interfaces:

Authenticator

public class DigestAuthenticator
extends LoginAuthenticator

The nonce max age in ms can be set with the SecurityHandler.setInitParameter(String, String) using the name "maxNonceAge". The nonce max count can be set with SecurityHandler.setInitParameter(String, String) using the name "maxNonceCount". When the age or count is exceeded, the nonce is considered stale.

Nested Class Summary

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.AuthConfiguration, Authenticator.Factory

Field Summary

Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

_identityService, _loginService

Constructor Summary

Constructors

Constructor	Description
DigestAuthenticator()

Method Summary

Modifier and Type	Method	Description
String	getAuthMethod()
long	getMaxNonceAge()
int	getMaxNonceCount()
UserIdentity	login(String username, Object credentials, javax.servlet.ServletRequest request)	If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
String	newNonce(Request request)
boolean	secureResponse(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser)	is response secure
void	setConfiguration(Authenticator.AuthConfiguration configuration)	Configure the Authenticator
void	setMaxNonceAge(long maxNonceAgeInMillis)
void	setMaxNonceCount(int maxNC)
Authentication	validateRequest(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, boolean mandatory)	Validate a request

Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

getLoginService, logout, prepareRequest, renewSession

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DigestAuthenticator

public DigestAuthenticator()

Method Details

setConfiguration

public void setConfiguration(Authenticator.AuthConfiguration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getMaxNonceCount

public int getMaxNonceCount()

setMaxNonceCount

public void setMaxNonceCount(int maxNC)

getMaxNonceAge

public long getMaxNonceAge()

setMaxNonceAge

public void setMaxNonceAge(long maxNonceAgeInMillis)

getAuthMethod

public String getAuthMethod()

Returns:

The name of the authentication method

secureResponse

public boolean secureResponse(javax.servlet.ServletRequest req,
 javax.servlet.ServletResponse res,
 boolean mandatory,
 Authentication.User validatedUser)
                       throws ServerAuthException

Description copied from interface: Authenticator

is response secure

Parameters:

req - the request

res - the response

mandatory - if security is mandator

validatedUser - the user that was validated

Returns:

true if response is secure

Throws:

ServerAuthException - if unable to test response

validateRequest

public Authentication validateRequest(javax.servlet.ServletRequest req,
 javax.servlet.ServletResponse res,
 boolean mandatory)
                               throws ServerAuthException

Description copied from interface: Authenticator

Validate a request

Parameters:

req - The request

res - The response

mandatory - True if authentication is mandatory.

Returns:

An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.

Throws:

ServerAuthException - if unable to validate request

login

public UserIdentity login(String username,
 Object credentials,
 javax.servlet.ServletRequest request)

Description copied from class: LoginAuthenticator

If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

credentials - the user's credential

request - the inbound request that needs authentication

newNonce

public String newNonce(Request request)