| java.lang.Object
 org.jboss.security.auth.spi.RFC2617Digest
| RFC2617Digest | | public class RFC2617Digest implements DigestCallback(Code) | | An implementation of the DigestCallback that support the http digest auth as
described in RFC2617 (http://www.ietf.org/rfc/rfc2617.txt).
3.2.2.1 Request-Digest
If the "qop" value is "auth" or "auth-int":
request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":"
unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <">
If the "qop" directive is not present (this construction is for compatibility
with RFC 2069):
request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
See below for the definitions for A1 and A2.
3.2.2.2 A1
If the "algorithm" directive's value is "MD5" or is unspecified, then A1 is:
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
where
passwd = < user's password >
If the "algorithm" directive's value is "MD5-sess", then A1 is calculated only
once - on the first request by the client following receipt of a
WWW-Authenticate challenge from the server. It uses the server nonce from that
challenge, and the first client nonce value to construct A1 as follows:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":"
unq(nonce-value) ":" unq(cnonce-value)
This creates a 'session key' for the authentication of subsequent requests and
responses which is different for each "authentication session", thus limiting
the amount of material hashed with any one key. (Note: see further discussion
of the authentication session in section 3.3.) Because the server need only use
the hash of the user credentials in order to create the A1 value, this
construction could be used in conjunction with a third party authentication
service so that the web server would not need the actual password value. The
specification of such a protocol is beyond the scope of this specification.
3.2.2.3 A2
If the "qop" directive's value is "auth" or is unspecified, then A2 is:
A2 = Method ":" digest-uri-value
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
3.2.2.4 Directive values and quoted-string
Note that the value of many of the directives, such as "username- value", are
defined as a "quoted-string". However, the "unq" notation indicates that
surrounding quotation marks are removed in forming the string A1. Thus if the
Authorization header includes the fields
username="Mufasa", realm=myhost@testrealm.com
and the user Mufasa has password "Circle Of Life" then H(A1) would be
H(Mufasa:myhost@testrealm.com:Circle Of Life) with no quotation marks in the
digested string.
No white space is allowed in any of the strings to which the digest function H()
is applied unless that white space exists in the quoted strings or entity body
whose contents make up the string to be digested. For example, the string A1
illustrated above must be
Mufasa:myhost@testrealm.com:Circle Of Life
with no white space on either side of the colons, but with the white space
between the words used in the password value. Likewise, the other strings
digested by H() must not have white space on either side of the colons which
delimit their fields unless that white space was in the quoted strings or entity
body being digested.
Also note that if integrity protection is applied (qop=auth-int), the
H(entity-body) is the hash of the entity body, not the message body - it is
computed before any transfer encoding is applied by the sender and after it has
been removed by the recipient. Note that this includes multipart boundaries and
embedded headers in each part of any multipart content-type.
author:
Scott.Stark@jboss.org
version:
$Revision: 57203 $ |
| Field Summary | |
| final public static String | A2HASH
| | final public static String | ALGORITHM
A string indicating a pair of algorithms used to produce the digest
and a checksum. | | final public static String | AUTH_PARAM
This directive allows for future extensions. | | final public static String | CNONCE
This MUST be specified if a qop directive is sent (see above), and MUST NOT
be specified if the server did not send a qop directive in the
WWW-Authenticate header field. | | final public static String | DIGEST_URI
The URI from Request-URI of the Request-Line; duplicated here because proxies
are allowed to change the Request-Line in transit. | | final public static String | METHOD
| | final public static String | NONCE
A server-specified data string which MUST be different each time a
digest-challenge is sent as part of initial authentication. | | final public static String | NONCE_COUNT
This MUST be specified if a qop directive is sent (see above), and MUST NOT
be specified if the server did not send a qop directive in the
WWW-Authenticate header field. | | final public static String | QOP
Indicates what "quality of protection" the client has applied to the message.
If present, its value MUST be one of the alternatives the server indicated it
supports in the WWW-Authenticate header. | | final public static String | REALM
String which can enable users to know which username and password to use, in
case they might have different ones for different servers. | | final public static String | USERNAME
The user's name in the specified realm. | | String | rfc2617
|
| A2HASH | | final public static String A2HASH(Code) | | An explicit A2 digest
|
| ALGORITHM | | final public static String ALGORITHM(Code) | | A string indicating a pair of algorithms used to produce the digest
and a checksum. If this is not present it is assumed to be "MD5".
If the algorithm is not understood, the challenge should be ignored
(and a different one used, if there is more than one).
In this document the string obtained by applying the digest
algorithm to the data "data" with secret "secret" will be denoted
by KD(secret, data), and the string obtained by applying the
checksum algorithm to the data "data" will be denoted H(data). The
notation unq(X) means the value of the quoted-string X without the
surrounding quotes.
|
| AUTH_PARAM | | final public static String AUTH_PARAM(Code) | | This directive allows for future extensions. Any unrecognized directive MUST
be ignored.
|
| CNONCE | | final public static String CNONCE(Code) | | This MUST be specified if a qop directive is sent (see above), and MUST NOT
be specified if the server did not send a qop directive in the
WWW-Authenticate header field. The cnonce-value is an opaque quoted string
value provided by the client and used by both client and server to avoid
chosen plaintext attacks, to provide mutual authentication, and to provide
some message integrity protection. See the descriptions below of the
calculation of the response- digest and request-digest values.
|
| DIGEST_URI | | final public static String DIGEST_URI(Code) | | The URI from Request-URI of the Request-Line; duplicated here because proxies
are allowed to change the Request-Line in transit.
|
| METHOD | | final public static String METHOD(Code) | | The http method type
|
| NONCE | | final public static String NONCE(Code) | | A server-specified data string which MUST be different each time a
digest-challenge is sent as part of initial authentication. It is
recommended that this string be base64 or hexadecimal data. Note that since
the string is passed as a quoted string, the double-quote character is not
allowed unless escaped (see section 7.2). The contents of the nonce are
implementation dependent. The
security of the implementation depends on a good choice. It is RECOMMENDED
that it contain at least 64 bits of entropy. The nonce is opaque to the
client. This directive is required and MUST appear exactly once; if not
present, or if multiple instances are present, the client should abort the
authentication exchange.
|
| NONCE_COUNT | | final public static String NONCE_COUNT(Code) | | This MUST be specified if a qop directive is sent (see above), and MUST NOT
be specified if the server did not send a qop directive in the
WWW-Authenticate header field. The nc-value is the hexadecimal count of the
number of requests (including the current request) that the client has sent
with the nonce value in this request. For example, in the first request sent
in response to a given nonce value, the client sends "nc=00000001". The
purpose of this directive is to allow the server to detect request replays by
maintaining its own copy of this count - if the same nc-value is seen twice,
then the request is a replay. See the description below of the construction
of the request-digest value.
|
| QOP | | final public static String QOP(Code) | | Indicates what "quality of protection" the client has applied to the message.
If present, its value MUST be one of the alternatives the server indicated it
supports in the WWW-Authenticate header. These values affect the computation
of the request-digest. Note that this is a single token, not a quoted list of
alternatives as in WWW- Authenticate. This directive is optional in order to
preserve backward compatibility with a minimal implementation of RFC 2069
[6], but SHOULD be used if the server indicated that qop is supported by
providing a qop directive in the WWW-Authenticate header field.
|
| REALM | | final public static String REALM(Code) | | String which can enable users to know which username and password to use, in
case they might have different ones for different servers.
|
| USERNAME | | final public static String USERNAME(Code) | | The user's name in the specified realm.
|
| cvtHex | | static String cvtHex(byte[] data)(Code) | | 3.1.3 Representation of digest values
An optional header allows the server to specify the algorithm used to create
the checksum or digest. By default the MD5 algorithm is used and that is the
only algorithm described in this document.
For the purposes of this document, an MD5 digest of 128 bits is represented
as 32 ASCII printable characters. The bits in the 128 bit digest are
converted from most significant to least significant bit, four bits at a time
to their ASCII presentation as follows. Each four bits is represented by its
familiar hexadecimal notation from the characters 0123456789abcdef. That is,
binary 0000 getInfos represented by the character '0', 0001, by '1', and so on up
to the representation of 1111 as 'f'.
Parameters:
data - - the raw MD5 hash data the encoded MD5 representation |
|
|