org.springframework.security.web.authentication.www
Class DigestAuthenticationFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.www.DigestAuthenticationFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, MessageSourceAware, ServletContextAware
public class DigestAuthenticationFilter
- extends GenericFilterBean
- implements MessageSourceAware
Processes a HTTP request's Digest authorization headers, putting the result into the
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to
RFC 2617 (which superseded RFC 2069, although this
filter support clients that implement either RFC 2617 or RFC 2069).
This filter can be used to provide Digest authentication services to both remoting protocol clients (such as
Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).
This Digest implementation has been designed to avoid needing to store session state between invocations.
All session management information is stored in the "nonce" that is sent to the client by the DigestAuthenticationEntryPoint
.
If authentication is successful, the resulting Authentication
object will be placed into the SecurityContextHolder
.
If authentication fails, an AuthenticationEntryPoint
implementation is called. This must always be DigestAuthenticationEntryPoint
, which will prompt the user
to authenticate again via Digest authentication.
Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
authentication over Basic authentication, including commentary on the limitations that it still imposes.
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
messages
protected MessageSourceAccessor messages
DigestAuthenticationFilter
public DigestAuthenticationFilter()
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interface InitializingBean
- Overrides:
afterPropertiesSet
in class GenericFilterBean
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Specified by:
doFilter
in interface javax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
getAuthenticationEntryPoint
public DigestAuthenticationEntryPoint getAuthenticationEntryPoint()
getUserCache
public UserCache getUserCache()
getUserDetailsService
public UserDetailsService getUserDetailsService()
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
setAuthenticationEntryPoint
public void setAuthenticationEntryPoint(DigestAuthenticationEntryPoint authenticationEntryPoint)
setMessageSource
public void setMessageSource(MessageSource messageSource)
- Specified by:
setMessageSource
in interface MessageSourceAware
setPasswordAlreadyEncoded
public void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded)
setUserCache
public void setUserCache(UserCache userCache)
setUserDetailsService
public void setUserDetailsService(UserDetailsService userDetailsService)
setCreateAuthenticatedToken
public void setCreateAuthenticatedToken(boolean createAuthenticatedToken)
- If you set this property, the Authentication object, which is
created after the successful digest authentication will be marked
as authenticated and filled with the authorities loaded by
the UserDetailsService. It therefore will not be re-authenticated
by your AuthenticationProvider. This means, that only the password
of the user is checked, but not the flags like isEnabled() or
isAccountNonExpired(). You will save some time by enabling this flag,
as otherwise your UserDetailsService will be called twice. A more secure
option would be to introduce a cache around your UserDetailsService, but
if you don't use these flags, you can also safely enable this option.
- Parameters:
createAuthenticatedToken
- default is false