Class DigestAuthenticator

All Implemented Interfaces:

public class DigestAuthenticator extends LoginAuthenticator
The nonce max age in ms can be set with the SecurityHandler.setInitParameter(String, String) using the name "maxNonceAge". The nonce max count can be set with SecurityHandler.setInitParameter(String, String) using the name "maxNonceCount". When the age or count is exceeded, the nonce is considered stale.
  • Constructor Details

    • DigestAuthenticator

      public DigestAuthenticator()
  • Method Details

    • setConfiguration

      public void setConfiguration(Authenticator.AuthConfiguration configuration)
      Description copied from interface: Authenticator
      Configure the Authenticator
      Specified by:
      setConfiguration in interface Authenticator
      setConfiguration in class LoginAuthenticator
      configuration - the configuration
    • getMaxNonceCount

      public int getMaxNonceCount()
    • setMaxNonceCount

      public void setMaxNonceCount(int maxNC)
    • getMaxNonceAge

      public long getMaxNonceAge()
    • setMaxNonceAge

      public void setMaxNonceAge(long maxNonceAgeInMillis)
    • getAuthMethod

      public String getAuthMethod()
      The name of the authentication method
    • secureResponse

      public boolean secureResponse(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser) throws ServerAuthException
      Description copied from interface: Authenticator
      is response secure
      req - the request
      res - the response
      mandatory - if security is mandator
      validatedUser - the user that was validated
      true if response is secure
      ServerAuthException - if unable to test response
    • validateRequest

      public Authentication validateRequest(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory) throws ServerAuthException
      Description copied from interface: Authenticator
      Validate a request
      req - The request
      res - The response
      mandatory - True if authentication is mandatory.
      An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.
      ServerAuthException - if unable to validate request
    • login

      public UserIdentity login(String username, Object credentials, jakarta.servlet.ServletRequest request)
      Description copied from class: LoginAuthenticator
      If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
      login in class LoginAuthenticator
      username - the username of the client to be authenticated
      credentials - the user's credential
      request - the inbound request that needs authentication
    • newNonce

      public String newNonce(Request request)