lib/jetty/org/eclipse/jetty/security/authentication/DigestAuthenticator.java

   1 //
   2 //  ========================================================================
   3 //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
   4 //  ------------------------------------------------------------------------
   5 //  All rights reserved. This program and the accompanying materials
   6 //  are made available under the terms of the Eclipse Public License v1.0
   7 //  and Apache License v2.0 which accompanies this distribution.
   8 //
   9 //      The Eclipse Public License is available at
  10 //      http://www.eclipse.org/legal/epl-v10.html
  11 //
  12 //      The Apache License v2.0 is available at
  13 //      http://www.opensource.org/licenses/apache2.0.php
  14 //
  15 //  You may elect to redistribute this code under either of these licenses.
  16 //  ========================================================================
  17 //
  18
  19 package org.eclipse.jetty.security.authentication;
  20
  21 import java.io.IOException;
  22 import java.nio.charset.StandardCharsets;
  23 import java.security.MessageDigest;
  24 import java.security.SecureRandom;
  25 import java.util.BitSet;
  26 import java.util.Queue;
  27 import java.util.concurrent.ConcurrentHashMap;
  28 import java.util.concurrent.ConcurrentLinkedQueue;
  29 import java.util.concurrent.ConcurrentMap;
  30
  31 import javax.servlet.ServletRequest;
  32 import javax.servlet.ServletResponse;
  33 import javax.servlet.http.HttpServletRequest;
  34 import javax.servlet.http.HttpServletResponse;
  35
  36 import org.eclipse.jetty.http.HttpHeader;
  37 import org.eclipse.jetty.security.ServerAuthException;
  38 import org.eclipse.jetty.security.UserAuthentication;
  39 import org.eclipse.jetty.server.Authentication;
  40 import org.eclipse.jetty.server.Authentication.User;
  41 import org.eclipse.jetty.server.Request;
  42 import org.eclipse.jetty.server.UserIdentity;
  43 import org.eclipse.jetty.util.B64Code;
  44 import org.eclipse.jetty.util.QuotedStringTokenizer;
  45 import org.eclipse.jetty.util.TypeUtil;
  46 import org.eclipse.jetty.util.log.Log;
  47 import org.eclipse.jetty.util.log.Logger;
  48 import org.eclipse.jetty.util.security.Constraint;
  49 import org.eclipse.jetty.util.security.Credential;
  50
  51 /**
  52  * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
  53  *
  54  * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
  55  * using the name "maxNonceAge".  The nonce max count can be set with {@link SecurityHandler#setInitParameter(String, String)}
  56  * using the name "maxNonceCount".  When the age or count is exceeded, the nonce is considered stale.
  57  */
  58 public class DigestAuthenticator extends LoginAuthenticator
  59 {
  60     private static final Logger LOG = Log.getLogger(DigestAuthenticator.class);
  61     SecureRandom _random = new SecureRandom();
  62     private long _maxNonceAgeMs = 60*1000;
  63     private int _maxNC=1024;
  64     private ConcurrentMap<String, Nonce> _nonceMap = new ConcurrentHashMap<String, Nonce>();
  65     private Queue<Nonce> _nonceQueue = new ConcurrentLinkedQueue<Nonce>();
  66     private static class Nonce
  67     {
  68         final String _nonce;
  69         final long _ts;
  70         final BitSet _seen;
  71
  72         public Nonce(String nonce, long ts, int size)
  73         {
  74             _nonce=nonce;
  75             _ts=ts;
  76             _seen = new BitSet(size);
  77         }
  78
  79         public boolean seen(int count)
  80         {
  81             synchronized (this)
  82             {
  83                 if (count>=_seen.size())
  84                     return true;
  85                 boolean s=_seen.get(count);
  86                 _seen.set(count);
  87                 return s;
  88             }
  89         }
  90     }
  91
  92     /* ------------------------------------------------------------ */
  93     public DigestAuthenticator()
  94     {
  95         super();
  96     }
  97
  98     /* ------------------------------------------------------------ */
  99     /**
 100      * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration)
 101      */
 102     @Override
 103     public void setConfiguration(AuthConfiguration configuration)
 104     {
 105         super.setConfiguration(configuration);
 106
 107         String mna=configuration.getInitParameter("maxNonceAge");
 108         if (mna!=null)
 109         {
 110             _maxNonceAgeMs=Long.valueOf(mna);
 111         }
 112         String mnc=configuration.getInitParameter("maxNonceCount");
 113         if (mnc!=null)
 114         {
 115             _maxNC=Integer.valueOf(mnc);
 116         }
 117     }
 118
 119     /* ------------------------------------------------------------ */
 120     public int getMaxNonceCount()
 121     {
 122         return _maxNC;
 123     }
 124
 125     /* ------------------------------------------------------------ */
 126     public void setMaxNonceCount(int maxNC)
 127     {
 128         _maxNC = maxNC;
 129     }
 130
 131     /* ------------------------------------------------------------ */
 132     public long getMaxNonceAge()
 133     {
 134         return _maxNonceAgeMs;
 135     }
 136
 137     /* ------------------------------------------------------------ */
 138     public synchronized void setMaxNonceAge(long maxNonceAgeInMillis)
 139     {
 140         _maxNonceAgeMs = maxNonceAgeInMillis;
 141     }
 142
 143     /* ------------------------------------------------------------ */
 144     @Override
 145     public String getAuthMethod()
 146     {
 147         return Constraint.__DIGEST_AUTH;
 148     }
 149
 150     /* ------------------------------------------------------------ */
 151     @Override
 152     public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
 153     {
 154         return true;
 155     }
 156
 157
 158
 159     /* ------------------------------------------------------------ */
 160     @Override
 161     public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
 162     {
 163         if (!mandatory)
 164             return new DeferredAuthentication(this);
 165
 166         HttpServletRequest request = (HttpServletRequest)req;
 167         HttpServletResponse response = (HttpServletResponse)res;
 168         String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
 169
 170         try
 171         {
 172             boolean stale = false;
 173             if (credentials != null)
 174             {
 175                 if (LOG.isDebugEnabled())
 176                     LOG.debug("Credentials: " + credentials);
 177                 QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
 178                 final Digest digest = new Digest(request.getMethod());
 179                 String last = null;
 180                 String name = null;
 181
 182                 while (tokenizer.hasMoreTokens())
 183                 {
 184                     String tok = tokenizer.nextToken();
 185                     char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
 186
 187                     switch (c)
 188                     {
 189                         case '=':
 190                             name = last;
 191                             last = tok;
 192                             break;
 193                         case ',':
 194                             name = null;
 195                             break;
 196                         case ' ':
 197                             break;
 198
 199                         default:
 200                             last = tok;
 201                             if (name != null)
 202                             {
 203                                 if ("username".equalsIgnoreCase(name))
 204                                     digest.username = tok;
 205                                 else if ("realm".equalsIgnoreCase(name))
 206                                     digest.realm = tok;
 207                                 else if ("nonce".equalsIgnoreCase(name))
 208                                     digest.nonce = tok;
 209                                 else if ("nc".equalsIgnoreCase(name))
 210                                     digest.nc = tok;
 211                                 else if ("cnonce".equalsIgnoreCase(name))
 212                                     digest.cnonce = tok;
 213                                 else if ("qop".equalsIgnoreCase(name))
 214                                     digest.qop = tok;
 215                                 else if ("uri".equalsIgnoreCase(name))
 216                                     digest.uri = tok;
 217                                 else if ("response".equalsIgnoreCase(name))
 218                                     digest.response = tok;
 219                                 name=null;
 220                             }
 221                     }
 222                 }
 223
 224                 int n = checkNonce(digest,(Request)request);
 225
 226                 if (n > 0)
 227                 {
 228                     //UserIdentity user = _loginService.login(digest.username,digest);
 229                     UserIdentity user = login(digest.username, digest, req);
 230                     if (user!=null)
 231                     {
 232                         return new UserAuthentication(getAuthMethod(),user);
 233                     }
 234                 }
 235                 else if (n == 0)
 236                     stale = true;
 237
 238             }
 239
 240             if (!DeferredAuthentication.isDeferred(response))
 241             {
 242                 String domain = request.getContextPath();
 243                 if (domain == null)
 244                     domain = "/";
 245                 response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + _loginService.getName()
 246                         + "\", domain=\""
 247                         + domain
 248                         + "\", nonce=\""
 249                         + newNonce((Request)request)
 250                         + "\", algorithm=MD5, qop=\"auth\","
 251                         + " stale=" + stale);
 252                 response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 253
 254                 return Authentication.SEND_CONTINUE;
 255             }
 256
 257             return Authentication.UNAUTHENTICATED;
 258         }
 259         catch (IOException e)
 260         {
 261             throw new ServerAuthException(e);
 262         }
 263
 264     }
 265
 266     /* ------------------------------------------------------------ */
 267     public String newNonce(Request request)
 268     {
 269         Nonce nonce;
 270
 271         do
 272         {
 273             byte[] nounce = new byte[24];
 274             _random.nextBytes(nounce);
 275
 276             nonce = new Nonce(new String(B64Code.encode(nounce)),request.getTimeStamp(),_maxNC);
 277         }
 278         while (_nonceMap.putIfAbsent(nonce._nonce,nonce)!=null);
 279         _nonceQueue.add(nonce);
 280
 281         return nonce._nonce;
 282     }
 283
 284     /**
 285      * @param nstring nonce to check
 286      * @param request
 287      * @return -1 for a bad nonce, 0 for a stale none, 1 for a good nonce
 288      */
 289     /* ------------------------------------------------------------ */
 290     private int checkNonce(Digest digest, Request request)
 291     {
 292         // firstly let's expire old nonces
 293         long expired = request.getTimeStamp()-_maxNonceAgeMs;
 294         Nonce nonce=_nonceQueue.peek();
 295         while (nonce!=null && nonce._ts<expired)
 296         {
 297             _nonceQueue.remove(nonce);
 298             _nonceMap.remove(nonce._nonce);
 299             nonce=_nonceQueue.peek();
 300         }
 301
 302         // Now check the requested nonce
 303         try
 304         {
 305             nonce = _nonceMap.get(digest.nonce);
 306             if (nonce==null)
 307                 return 0;
 308
 309             long count = Long.parseLong(digest.nc,16);
 310             if (count>=_maxNC)
 311                 return 0;
 312
 313             if (nonce.seen((int)count))
 314                 return -1;
 315
 316             return 1;
 317         }
 318         catch (Exception e)
 319         {
 320             LOG.ignore(e);
 321         }
 322         return -1;
 323     }
 324
 325     /* ------------------------------------------------------------ */
 326     /* ------------------------------------------------------------ */
 327     /* ------------------------------------------------------------ */
 328     private static class Digest extends Credential
 329     {
 330         private static final long serialVersionUID = -2484639019549527724L;
 331         final String method;
 332         String username = "";
 333         String realm = "";
 334         String nonce = "";
 335         String nc = "";
 336         String cnonce = "";
 337         String qop = "";
 338         String uri = "";
 339         String response = "";
 340
 341         /* ------------------------------------------------------------ */
 342         Digest(String m)
 343         {
 344             method = m;
 345         }
 346
 347         /* ------------------------------------------------------------ */
 348         @Override
 349         public boolean check(Object credentials)
 350         {
 351             if (credentials instanceof char[])
 352                 credentials=new String((char[])credentials);
 353             String password = (credentials instanceof String) ? (String) credentials : credentials.toString();
 354
 355             try
 356             {
 357                 MessageDigest md = MessageDigest.getInstance("MD5");
 358                 byte[] ha1;
 359                 if (credentials instanceof Credential.MD5)
 360                 {
 361                     // Credentials are already a MD5 digest - assume it's in
 362                     // form user:realm:password (we have no way to know since
 363                     // it's a digest, alright?)
 364                     ha1 = ((Credential.MD5) credentials).getDigest();
 365                 }
 366                 else
 367                 {
 368                     // calc A1 digest
 369                     md.update(username.getBytes(StandardCharsets.ISO_8859_1));
 370                     md.update((byte) ':');
 371                     md.update(realm.getBytes(StandardCharsets.ISO_8859_1));
 372                     md.update((byte) ':');
 373                     md.update(password.getBytes(StandardCharsets.ISO_8859_1));
 374                     ha1 = md.digest();
 375                 }
 376                 // calc A2 digest
 377                 md.reset();
 378                 md.update(method.getBytes(StandardCharsets.ISO_8859_1));
 379                 md.update((byte) ':');
 380                 md.update(uri.getBytes(StandardCharsets.ISO_8859_1));
 381                 byte[] ha2 = md.digest();
 382
 383                 // calc digest
 384                 // request-digest = <"> < KD ( H(A1), unq(nonce-value) ":"
 385                 // nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) )
 386                 // <">
 387                 // request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2)
 388                 // ) > <">
 389
 390                 md.update(TypeUtil.toString(ha1, 16).getBytes(StandardCharsets.ISO_8859_1));
 391                 md.update((byte) ':');
 392                 md.update(nonce.getBytes(StandardCharsets.ISO_8859_1));
 393                 md.update((byte) ':');
 394                 md.update(nc.getBytes(StandardCharsets.ISO_8859_1));
 395                 md.update((byte) ':');
 396                 md.update(cnonce.getBytes(StandardCharsets.ISO_8859_1));
 397                 md.update((byte) ':');
 398                 md.update(qop.getBytes(StandardCharsets.ISO_8859_1));
 399                 md.update((byte) ':');
 400                 md.update(TypeUtil.toString(ha2, 16).getBytes(StandardCharsets.ISO_8859_1));
 401                 byte[] digest = md.digest();
 402
 403                 // check digest
 404                 return (TypeUtil.toString(digest, 16).equalsIgnoreCase(response));
 405             }
 406             catch (Exception e)
 407             {
 408                 LOG.warn(e);
 409             }
 410
 411             return false;
 412         }
 413
 414         @Override
 415         public String toString()
 416         {
 417             return username + "," + response;
 418         }
 419     }
 420 }