spring-security/docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc

[[servlet-authentication-digest]]
= Digest Authentication

This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.

[WARNING]
====
You should not use Digest Authentication in modern applications, because it is not considered to be secure.
The most obvious problem is that you must store your passwords in plaintext or an encrypted or MD5 format.
All of these storage formats are considered insecure.
Instead, you should store credentials by using a one way adaptive password hash (bCrypt, PBKDF2, SCrypt, and others), which is not supported by Digest Authentication.
====

Digest Authentication tries to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.
Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].

The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].
Most user agents implement RFC 2617.
Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (no TLS or HTTPS) and wish to maximize security of the authentication process.
However, everyone should use xref:features/exploits/http.adoc#http[HTTPS].

Central to Digest Authentication is a "`nonce`".
This is a value the server generates.
Spring Security's nonce adopts the following format:

.Digest Syntax
====
[source,txt]
----
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
expirationTime:   The date and time when the nonce expires, expressed in milliseconds
key:              A private key to prevent modification of the nonce token
----
====

You need to ensure that you xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`.
(See the {security-api-url}org/springframework/security/crypto/password/NoOpPasswordEncoder.html[`NoOpPasswordEncoder`] class in the Javadoc.)
The following provides an example of configuring Digest Authentication with Java Configuration:

.Digest Authentication
====
.Java
[source,java,role="primary"]
----
@Autowired
UserDetailsService userDetailsService;

DigestAuthenticationEntryPoint entryPoint() {
	DigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();
	result.setRealmName("My App Realm");
	result.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");
}

DigestAuthenticationFilter digestAuthenticationFilter() {
	DigestAuthenticationFilter result = new DigestAuthenticationFilter();
	result.setUserDetailsService(userDetailsService);
	result.setAuthenticationEntryPoint(entryPoint());
}

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
	http
		// ...
		.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
		.addFilterBefore(digestFilter());
	return http.build();
}
----

.XML
[source,xml,role="secondary"]
----
<b:bean id="digestFilter"
        class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"
    p:userDetailsService-ref="jdbcDaoImpl"
    p:authenticationEntryPoint-ref="digestEntryPoint"
/>

<b:bean id="digestEntryPoint"
        class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"
    p:realmName="My App Realm"
	p:key="3028472b-da34-4501-bfd8-a355c42bdf92"
/>

<http>
	<!-- ... -->
	<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>
</http>
----
====
Fix title render issue of Digest Authentication document Closes gh-11272 2022-05-27 02:17:10 +00:00			`[[servlet-authentication-digest]]`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`= Digest Authentication`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00
			`[WARNING]`
			`====`
Further changes based on feedback Mostly restoring the formatting of admonitions. 2021-06-04 14:12:59 -05:00			`You should not use Digest Authentication in modern applications, because it is not considered to be secure.`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The most obvious problem is that you must store your passwords in plaintext or an encrypted or MD5 format.`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`All of these storage formats are considered insecure.`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`Instead, you should store credentials by using a one way adaptive password hash (bCrypt, PBKDF2, SCrypt, and others), which is not supported by Digest Authentication.`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`====`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			`Digest Authentication tries to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].`

			`The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].`
			`Most user agents implement RFC 2617.`
			Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (no TLS or HTTPS) and wish to maximize security of the authentication process.`
overview/ -> ../ 2021-08-10 15:21:42 -05:00			`However, everyone should use xref:features/exploits/http.adoc#http[HTTPS].`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			Central to Digest Authentication is a "`nonce`".
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`This is a value the server generates.`
			`Spring Security's nonce adopts the following format:`

			`.Digest Syntax`
			`====`
			`[source,txt]`
			`----`
			`base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))`
			`expirationTime: The date and time when the nonce expires, expressed in milliseconds`
			`key: A private key to prevent modification of the nonce token`
			`----`
			`====`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			You need to ensure that you xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			(See the {security-api-url}org/springframework/security/crypto/password/NoOpPasswordEncoder.html[`NoOpPasswordEncoder`] class in the Javadoc.)
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`The following provides an example of configuring Digest Authentication with Java Configuration:`

Add More role=primary/secondary Issue gh-7801 2020-01-09 20:12:19 -06:00			`.Digest Authentication`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`====`
Add More role=primary/secondary Issue gh-7801 2020-01-09 20:12:19 -06:00			`.Java`
			`[source,java,role="primary"]`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`----`
			`@Autowired`
			`UserDetailsService userDetailsService;`

			`DigestAuthenticationEntryPoint entryPoint() {`
			`DigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();`
docs: fix realm typo 2022-11-01 20:19:21 +01:00			`result.setRealmName("My App Realm");`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`result.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");`
			`}`

			`DigestAuthenticationFilter digestAuthenticationFilter() {`
			`DigestAuthenticationFilter result = new DigestAuthenticationFilter();`
			`result.setUserDetailsService(userDetailsService);`
			`result.setAuthenticationEntryPoint(entryPoint());`
			`}`

Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`http`
			`// ...`
			`.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))`
			`.addFilterBefore(digestFilter());`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build();`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`}`
			`----`

Add More role=primary/secondary Issue gh-7801 2020-01-09 20:12:19 -06:00			`.XML`
			`[source,xml,role="secondary"]`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`----`
			`<b:bean id="digestFilter"`
			`class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"`
			`p:userDetailsService-ref="jdbcDaoImpl"`
			`p:authenticationEntryPoint-ref="digestEntryPoint"`
			`/>`

			`<b:bean id="digestEntryPoint"`
			`class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"`
Fix typos in documentation 2020-05-03 23:51:03 +03:00			`p:realmName="My App Realm"`
Start Servlet Authentication Cleanup Issue gh-7628 2019-12-06 10:39:55 -06:00			`p:key="3028472b-da34-4501-bfd8-a355c42bdf92"`
			`/>`

			`<http>`
			`<!-- ... -->`
			`<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>`
			`</http>`
			`----`
			`====`