92 lines
4.0 KiB
Plaintext
92 lines
4.0 KiB
Plaintext
[[servlet-authentication-digest]]
|
|
= Digest Authentication
|
|
|
|
This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
|
|
|
|
[WARNING]
|
|
====
|
|
You should not use Digest Authentication in modern applications, because it is not considered to be secure.
|
|
The most obvious problem is that you must store your passwords in plaintext or an encrypted or MD5 format.
|
|
All of these storage formats are considered insecure.
|
|
Instead, you should store credentials by using a one way adaptive password hash (bCrypt, PBKDF2, SCrypt, and others), which is not supported by Digest Authentication.
|
|
====
|
|
|
|
Digest Authentication tries to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.
|
|
Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].
|
|
|
|
The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].
|
|
Most user agents implement RFC 2617.
|
|
Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
|
|
Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (no TLS or HTTPS) and wish to maximize security of the authentication process.
|
|
However, everyone should use xref:features/exploits/http.adoc#http[HTTPS].
|
|
|
|
Central to Digest Authentication is a "`nonce`".
|
|
This is a value the server generates.
|
|
Spring Security's nonce adopts the following format:
|
|
|
|
.Digest Syntax
|
|
====
|
|
[source,txt]
|
|
----
|
|
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
|
|
expirationTime: The date and time when the nonce expires, expressed in milliseconds
|
|
key: A private key to prevent modification of the nonce token
|
|
----
|
|
====
|
|
|
|
You need to ensure that you xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`.
|
|
(See the {security-api-url}org/springframework/security/crypto/password/NoOpPasswordEncoder.html[`NoOpPasswordEncoder`] class in the Javadoc.)
|
|
The following provides an example of configuring Digest Authentication with Java Configuration:
|
|
|
|
.Digest Authentication
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@Autowired
|
|
UserDetailsService userDetailsService;
|
|
|
|
DigestAuthenticationEntryPoint entryPoint() {
|
|
DigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();
|
|
result.setRealmName("My App Realm");
|
|
result.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");
|
|
}
|
|
|
|
DigestAuthenticationFilter digestAuthenticationFilter() {
|
|
DigestAuthenticationFilter result = new DigestAuthenticationFilter();
|
|
result.setUserDetailsService(userDetailsService);
|
|
result.setAuthenticationEntryPoint(entryPoint());
|
|
}
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
// ...
|
|
.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
|
|
.addFilterBefore(digestFilter());
|
|
return http.build();
|
|
}
|
|
----
|
|
|
|
.XML
|
|
[source,xml,role="secondary"]
|
|
----
|
|
<b:bean id="digestFilter"
|
|
class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"
|
|
p:userDetailsService-ref="jdbcDaoImpl"
|
|
p:authenticationEntryPoint-ref="digestEntryPoint"
|
|
/>
|
|
|
|
<b:bean id="digestEntryPoint"
|
|
class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"
|
|
p:realmName="My App Realm"
|
|
p:key="3028472b-da34-4501-bfd8-a355c42bdf92"
|
|
/>
|
|
|
|
<http>
|
|
<!-- ... -->
|
|
<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>
|
|
</http>
|
|
----
|
|
====
|