org.springframework.security.web.authentication.www
Class DigestAuthenticationFilter

java.lang.Object
  org.springframework.web.filter.GenericFilterBean
      org.springframework.security.web.authentication.www.DigestAuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, MessageSourceAware, ServletContextAware

public class DigestAuthenticationFilter
extends GenericFilterBean
implements MessageSourceAware

Processes a HTTP request's Digest authorization headers, putting the result into the SecurityContextHolder.

For a detailed background on what this filter is designed to process, refer to RFC 2617 (which superseded RFC 2069, although this filter support clients that implement either RFC 2617 or RFC 2069).

This filter can be used to provide Digest authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).

This Digest implementation has been designed to avoid needing to store session state between invocations. All session management information is stored in the "nonce" that is sent to the client by the DigestAuthenticationEntryPoint.

If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder.

If authentication fails, an AuthenticationEntryPoint implementation is called. This must always be DigestAuthenticationEntryPoint, which will prompt the user to authenticate again via Digest authentication.

Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest authentication over Basic authentication, including commentary on the limitations that it still imposes.

Field Summary

protected MessageSourceAccessor

messages

Constructor Summary

DigestAuthenticationFilter()

Method Summary

void	afterPropertiesSet()
void	doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
DigestAuthenticationEntryPoint	getAuthenticationEntryPoint()
UserCache	getUserCache()
UserDetailsService	getUserDetailsService()
void	setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
void	setAuthenticationEntryPoint(DigestAuthenticationEntryPoint authenticationEntryPoint)
void	setCreateAuthenticatedToken(boolean createAuthenticatedToken) If you set this property, the Authentication object, which is created after the successful digest authentication will be marked as authenticated and filled with the authorities loaded by the UserDetailsService.
void	setMessageSource(MessageSource messageSource)
void	setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded)
void	setUserCache(UserCache userCache)
void	setUserDetailsService(UserDetailsService userDetailsService)

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

messages

protected MessageSourceAccessor messages

Constructor Detail

DigestAuthenticationFilter

public DigestAuthenticationFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()

Specified by:

afterPropertiesSet in interface InitializingBean

Overrides:

afterPropertiesSet in class GenericFilterBean

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

IOException

javax.servlet.ServletException

getAuthenticationEntryPoint

public DigestAuthenticationEntryPoint getAuthenticationEntryPoint()

getUserCache

public UserCache getUserCache()

getUserDetailsService

public UserDetailsService getUserDetailsService()

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setAuthenticationEntryPoint

public void setAuthenticationEntryPoint(DigestAuthenticationEntryPoint authenticationEntryPoint)

setMessageSource

public void setMessageSource(MessageSource messageSource)

Specified by:

setMessageSource in interface MessageSourceAware

setPasswordAlreadyEncoded

public void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded)

setUserCache

public void setUserCache(UserCache userCache)

setUserDetailsService

public void setUserDetailsService(UserDetailsService userDetailsService)

setCreateAuthenticatedToken

public void setCreateAuthenticatedToken(boolean createAuthenticatedToken)

If you set this property, the Authentication object, which is created after the successful digest authentication will be marked as authenticated and filled with the authorities loaded by the UserDetailsService. It therefore will not be re-authenticated by your AuthenticationProvider. This means, that only the password of the user is checked, but not the flags like isEnabled() or isAccountNonExpired(). You will save some time by enabling this flag, as otherwise your UserDetailsService will be called twice. A more secure option would be to introduce a cache around your UserDetailsService, but if you don't use these flags, you can also safely enable this option.

Parameters:

createAuthenticatedToken - default is false