lib/jetty/org/eclipse/jetty/security/authentication/DigestAuthenticator.java

   1 //
   2 //  ========================================================================
   3 //  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
   4 //  ------------------------------------------------------------------------
   5 //  All rights reserved. This program and the accompanying materials
   6 //  are made available under the terms of the Eclipse Public License v1.0
   7 //  and Apache License v2.0 which accompanies this distribution.
   8 //
   9 //      The Eclipse Public License is available at
  10 //      http://www.eclipse.org/legal/epl-v10.html
  11 //
  12 //      The Apache License v2.0 is available at
  13 //      http://www.opensource.org/licenses/apache2.0.php
  14 //
  15 //  You may elect to redistribute this code under either of these licenses.
  16 //  ========================================================================
  17 //
  18
  19 package org.eclipse.jetty.security.authentication;
  20
  21 import java.io.IOException;
  22 import java.nio.charset.StandardCharsets;
  23 import java.security.MessageDigest;
  24 import java.security.SecureRandom;
  25 import java.util.BitSet;
  26 import java.util.Queue;
  27 import java.util.concurrent.ConcurrentHashMap;
  28 import java.util.concurrent.ConcurrentLinkedQueue;
  29 import java.util.concurrent.ConcurrentMap;
  30
  31 import javax.servlet.ServletRequest;
  32 import javax.servlet.ServletResponse;
  33 import javax.servlet.http.HttpServletRequest;
  34 import javax.servlet.http.HttpServletResponse;
  35
  36 import org.eclipse.jetty.http.HttpHeader;
  37 import org.eclipse.jetty.security.SecurityHandler;
  38 import org.eclipse.jetty.security.ServerAuthException;
  39 import org.eclipse.jetty.security.UserAuthentication;
  40 import org.eclipse.jetty.server.Authentication;
  41 import org.eclipse.jetty.server.Authentication.User;
  42 import org.eclipse.jetty.server.Request;
  43 import org.eclipse.jetty.server.UserIdentity;
  44 import org.eclipse.jetty.util.B64Code;
  45 import org.eclipse.jetty.util.QuotedStringTokenizer;
  46 import org.eclipse.jetty.util.TypeUtil;
  47 import org.eclipse.jetty.util.log.Log;
  48 import org.eclipse.jetty.util.log.Logger;
  49 import org.eclipse.jetty.util.security.Constraint;
  50 import org.eclipse.jetty.util.security.Credential;
  51
  52 /**
  53  * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
  54  *
  55  * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
  56  * using the name "maxNonceAge".  The nonce max count can be set with {@link SecurityHandler#setInitParameter(String, String)}
  57  * using the name "maxNonceCount".  When the age or count is exceeded, the nonce is considered stale.
  58  */
  59 public class DigestAuthenticator extends LoginAuthenticator
  60 {
  61     private static final Logger LOG = Log.getLogger(DigestAuthenticator.class);
  62     SecureRandom _random = new SecureRandom();
  63     private long _maxNonceAgeMs = 60*1000;
  64     private int _maxNC=1024;
  65     private ConcurrentMap<String, Nonce> _nonceMap = new ConcurrentHashMap<String, Nonce>();
  66     private Queue<Nonce> _nonceQueue = new ConcurrentLinkedQueue<Nonce>();
  67     private static class Nonce
  68     {
  69         final String _nonce;
  70         final long _ts;
  71         final BitSet _seen;
  72
  73         public Nonce(String nonce, long ts, int size)
  74         {
  75             _nonce=nonce;
  76             _ts=ts;
  77             _seen = new BitSet(size);
  78         }
  79
  80         public boolean seen(int count)
  81         {
  82             synchronized (this)
  83             {
  84                 if (count>=_seen.size())
  85                     return true;
  86                 boolean s=_seen.get(count);
  87                 _seen.set(count);
  88                 return s;
  89             }
  90         }
  91     }
  92
  93     /* ------------------------------------------------------------ */
  94     public DigestAuthenticator()
  95     {
  96         super();
  97     }
  98
  99     /* ------------------------------------------------------------ */
 100     /**
 101      * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration)
 102      */
 103     @Override
 104     public void setConfiguration(AuthConfiguration configuration)
 105     {
 106         super.setConfiguration(configuration);
 107
 108         String mna=configuration.getInitParameter("maxNonceAge");
 109         if (mna!=null)
 110         {
 111             _maxNonceAgeMs=Long.valueOf(mna);
 112         }
 113         String mnc=configuration.getInitParameter("maxNonceCount");
 114         if (mnc!=null)
 115         {
 116             _maxNC=Integer.valueOf(mnc);
 117         }
 118     }
 119
 120     /* ------------------------------------------------------------ */
 121     public int getMaxNonceCount()
 122     {
 123         return _maxNC;
 124     }
 125
 126     /* ------------------------------------------------------------ */
 127     public void setMaxNonceCount(int maxNC)
 128     {
 129         _maxNC = maxNC;
 130     }
 131
 132     /* ------------------------------------------------------------ */
 133     public long getMaxNonceAge()
 134     {
 135         return _maxNonceAgeMs;
 136     }
 137
 138     /* ------------------------------------------------------------ */
 139     public synchronized void setMaxNonceAge(long maxNonceAgeInMillis)
 140     {
 141         _maxNonceAgeMs = maxNonceAgeInMillis;
 142     }
 143
 144     /* ------------------------------------------------------------ */
 145     @Override
 146     public String getAuthMethod()
 147     {
 148         return Constraint.__DIGEST_AUTH;
 149     }
 150
 151     /* ------------------------------------------------------------ */
 152     @Override
 153     public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
 154     {
 155         return true;
 156     }
 157
 158
 159
 160     /* ------------------------------------------------------------ */
 161     @Override
 162     public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
 163     {
 164         if (!mandatory)
 165             return new DeferredAuthentication(this);
 166
 167         HttpServletRequest request = (HttpServletRequest)req;
 168         HttpServletResponse response = (HttpServletResponse)res;
 169         String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
 170
 171         try
 172         {
 173             boolean stale = false;
 174             if (credentials != null)
 175             {
 176                 if (LOG.isDebugEnabled())
 177                     LOG.debug("Credentials: " + credentials);
 178                 QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
 179                 final Digest digest = new Digest(request.getMethod());
 180                 String last = null;
 181                 String name = null;
 182
 183                 while (tokenizer.hasMoreTokens())
 184                 {
 185                     String tok = tokenizer.nextToken();
 186                     char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
 187
 188                     switch (c)
 189                     {
 190                         case '=':
 191                             name = last;
 192                             last = tok;
 193                             break;
 194                         case ',':
 195                             name = null;
 196                             break;
 197                         case ' ':
 198                             break;
 199
 200                         default:
 201                             last = tok;
 202                             if (name != null)
 203                             {
 204                                 if ("username".equalsIgnoreCase(name))
 205                                     digest.username = tok;
 206                                 else if ("realm".equalsIgnoreCase(name))
 207                                     digest.realm = tok;
 208                                 else if ("nonce".equalsIgnoreCase(name))
 209                                     digest.nonce = tok;
 210                                 else if ("nc".equalsIgnoreCase(name))
 211                                     digest.nc = tok;
 212                                 else if ("cnonce".equalsIgnoreCase(name))
 213                                     digest.cnonce = tok;
 214                                 else if ("qop".equalsIgnoreCase(name))
 215                                     digest.qop = tok;
 216                                 else if ("uri".equalsIgnoreCase(name))
 217                                     digest.uri = tok;
 218                                 else if ("response".equalsIgnoreCase(name))
 219                                     digest.response = tok;
 220                                 name=null;
 221                             }
 222                     }
 223                 }
 224
 225                 int n = checkNonce(digest,(Request)request);
 226
 227                 if (n > 0)
 228                 {
 229                     //UserIdentity user = _loginService.login(digest.username,digest);
 230                     UserIdentity user = login(digest.username, digest, req);
 231                     if (user!=null)
 232                     {
 233                         return new UserAuthentication(getAuthMethod(),user);
 234                     }
 235                 }
 236                 else if (n == 0)
 237                     stale = true;
 238
 239             }
 240
 241             if (!DeferredAuthentication.isDeferred(response))
 242             {
 243                 String domain = request.getContextPath();
 244                 if (domain == null)
 245                     domain = "/";
 246                 response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + _loginService.getName()
 247                         + "\", domain=\""
 248                         + domain
 249                         + "\", nonce=\""
 250                         + newNonce((Request)request)
 251                         + "\", algorithm=MD5, qop=\"auth\","
 252                         + " stale=" + stale);
 253                 response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 254
 255                 return Authentication.SEND_CONTINUE;
 256             }
 257
 258             return Authentication.UNAUTHENTICATED;
 259         }
 260         catch (IOException e)
 261         {
 262             throw new ServerAuthException(e);
 263         }
 264
 265     }
 266
 267     /* ------------------------------------------------------------ */
 268     public String newNonce(Request request)
 269     {
 270         Nonce nonce;
 271
 272         do
 273         {
 274             byte[] nounce = new byte[24];
 275             _random.nextBytes(nounce);
 276
 277             nonce = new Nonce(new String(B64Code.encode(nounce)),request.getTimeStamp(),_maxNC);
 278         }
 279         while (_nonceMap.putIfAbsent(nonce._nonce,nonce)!=null);
 280         _nonceQueue.add(nonce);
 281
 282         return nonce._nonce;
 283     }
 284
 285     /**
 286      * @param nstring nonce to check
 287      * @param request
 288      * @return -1 for a bad nonce, 0 for a stale none, 1 for a good nonce
 289      */
 290     /* ------------------------------------------------------------ */
 291     private int checkNonce(Digest digest, Request request)
 292     {
 293         // firstly let's expire old nonces
 294         long expired = request.getTimeStamp()-_maxNonceAgeMs;
 295         Nonce nonce=_nonceQueue.peek();
 296         while (nonce!=null && nonce._ts<expired)
 297         {
 298             _nonceQueue.remove(nonce);
 299             _nonceMap.remove(nonce._nonce);
 300             nonce=_nonceQueue.peek();
 301         }
 302
 303         // Now check the requested nonce
 304         try
 305         {
 306             nonce = _nonceMap.get(digest.nonce);
 307             if (nonce==null)
 308                 return 0;
 309
 310             long count = Long.parseLong(digest.nc,16);
 311             if (count>=_maxNC)
 312                 return 0;
 313
 314             if (nonce.seen((int)count))
 315                 return -1;
 316
 317             return 1;
 318         }
 319         catch (Exception e)
 320         {
 321             LOG.ignore(e);
 322         }
 323         return -1;
 324     }
 325
 326     /* ------------------------------------------------------------ */
 327     /* ------------------------------------------------------------ */
 328     /* ------------------------------------------------------------ */
 329     private static class Digest extends Credential
 330     {
 331         private static final long serialVersionUID = -2484639019549527724L;
 332         final String method;
 333         String username = "";
 334         String realm = "";
 335         String nonce = "";
 336         String nc = "";
 337         String cnonce = "";
 338         String qop = "";
 339         String uri = "";
 340         String response = "";
 341
 342         /* ------------------------------------------------------------ */
 343         Digest(String m)
 344         {
 345             method = m;
 346         }
 347
 348         /* ------------------------------------------------------------ */
 349         @Override
 350         public boolean check(Object credentials)
 351         {
 352             if (credentials instanceof char[])
 353                 credentials=new String((char[])credentials);
 354             String password = (credentials instanceof String) ? (String) credentials : credentials.toString();
 355
 356             try
 357             {
 358                 MessageDigest md = MessageDigest.getInstance("MD5");
 359                 byte[] ha1;
 360                 if (credentials instanceof Credential.MD5)
 361                 {
 362                     // Credentials are already a MD5 digest - assume it's in
 363                     // form user:realm:password (we have no way to know since
 364                     // it's a digest, alright?)
 365                     ha1 = ((Credential.MD5) credentials).getDigest();
 366                 }
 367                 else
 368                 {
 369                     // calc A1 digest
 370                     md.update(username.getBytes(StandardCharsets.ISO_8859_1));
 371                     md.update((byte) ':');
 372                     md.update(realm.getBytes(StandardCharsets.ISO_8859_1));
 373                     md.update((byte) ':');
 374                     md.update(password.getBytes(StandardCharsets.ISO_8859_1));
 375                     ha1 = md.digest();
 376                 }
 377                 // calc A2 digest
 378                 md.reset();
 379                 md.update(method.getBytes(StandardCharsets.ISO_8859_1));
 380                 md.update((byte) ':');
 381                 md.update(uri.getBytes(StandardCharsets.ISO_8859_1));
 382                 byte[] ha2 = md.digest();
 383
 384                 // calc digest
 385                 // request-digest = <"> < KD ( H(A1), unq(nonce-value) ":"
 386                 // nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) )
 387                 // <">
 388                 // request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2)
 389                 // ) > <">
 390
 391                 md.update(TypeUtil.toString(ha1, 16).getBytes(StandardCharsets.ISO_8859_1));
 392                 md.update((byte) ':');
 393                 md.update(nonce.getBytes(StandardCharsets.ISO_8859_1));
 394                 md.update((byte) ':');
 395                 md.update(nc.getBytes(StandardCharsets.ISO_8859_1));
 396                 md.update((byte) ':');
 397                 md.update(cnonce.getBytes(StandardCharsets.ISO_8859_1));
 398                 md.update((byte) ':');
 399                 md.update(qop.getBytes(StandardCharsets.ISO_8859_1));
 400                 md.update((byte) ':');
 401                 md.update(TypeUtil.toString(ha2, 16).getBytes(StandardCharsets.ISO_8859_1));
 402                 byte[] digest = md.digest();
 403
 404                 // check digest
 405                 return (TypeUtil.toString(digest, 16).equalsIgnoreCase(response));
 406             }
 407             catch (Exception e)
 408             {
 409                 LOG.warn(e);
 410             }
 411
 412             return false;
 413         }
 414
 415         @Override
 416         public String toString()
 417         {
 418             return username + "," + response;
 419         }
 420     }
 421 }