- /*
- * $Header: /home/cvs/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/auth/DigestScheme.java,v 1.21 2004/05/13 04:02:00 mbecke Exp $
- * $Revision: 1.21 $
- * $Date: 2004/05/13 04:02:00 $
- *
- * ====================================================================
- *
- * Copyright 2002-2004 The Apache Software Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
- package org.apache.commons.httpclient.auth;
-
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.util.StringTokenizer;
-
- import org.apache.commons.httpclient.Credentials;
- import org.apache.commons.httpclient.HttpClientError;
- import org.apache.commons.httpclient.HttpMethod;
- import org.apache.commons.httpclient.UsernamePasswordCredentials;
- import org.apache.commons.httpclient.util.EncodingUtil;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
-
- /**
- * <p>
- * Digest authentication scheme as defined in RFC 2617.
- * Both MD5 (default) and MD5-sess are supported.
- * Currently only qop=auth or no qop is supported. qop=auth-int
- * is unsupported. If auth and auth-int are provided, auth is
- * used.
- * </p>
- * <p>
- * Credential charset is configured via the
- * {@link org.apache.commons.httpclient.params.HttpMethodParams#CREDENTIAL_CHARSET credential
- * charset} parameter. Since the digest username is included as clear text in the generated
- * Authentication header, the charset of the username must be compatible with the
- * {@link org.apache.commons.httpclient.params.HttpMethodParams#HTTP_ELEMENT_CHARSET http element
- * charset}.
- * </p>
- * TODO: make class more stateful regarding repeated authentication requests
- *
- * @author <a href="mailto:remm@apache.org">Remy Maucherat</a>
- * @author Rodney Waldhoff
- * @author <a href="mailto:jsdever@apache.org">Jeff Dever</a>
- * @author Ortwin Gl?ck
- * @author Sean C. Sullivan
- * @author <a href="mailto:adrian@ephox.com">Adrian Sutton</a>
- * @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike Bowler</a>
- * @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
- */
-
- public class DigestScheme extends RFC2617Scheme {
-
- /** Log object for this class. */
- private static final Log LOG = LogFactory.getLog(DigestScheme.class);
-
- /**
- * Hexa values used when creating 32 character long digest in HTTP DigestScheme
- * in case of authentication.
- *
- * @see #encode(byte[])
- */
- private static final char[] HEXADECIMAL = {
- '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
- 'e', 'f'
- };
-
- /** Whether the digest authentication process is complete */
- private boolean complete;
-
- //TODO: supply a real nonce-count, currently a server will interprete a repeated request as a replay
- private static final String NC = "00000001"; //nonce-count is always 1
- private static final int QOP_MISSING = 0;
- private static final int QOP_AUTH_INT = 1;
- private static final int QOP_AUTH = 2;
-
- private int qopVariant = QOP_MISSING;
- private String cnonce;
-
- /**
- * Default constructor for the digest authetication scheme.
- *
- * @since 3.0
- */
- public DigestScheme() {
- super();
- this.complete = false;
- }
-
- /**
- * Gets an ID based upon the realm and the nonce value. This ensures that requests
- * to the same realm with different nonce values will succeed. This differentiation
- * allows servers to request re-authentication using a fresh nonce value.
- *
- * @deprecated no longer used
- */
- public String getID() {
-
- String id = getRealm();
- String nonce = getParameter("nonce");
- if (nonce != null) {
- id += "-" + nonce;
- }
-
- return id;
- }
-
- /**
- * Constructor for the digest authetication scheme.
- *
- * @param challenge authentication challenge
- *
- * @throws MalformedChallengeException is thrown if the authentication challenge
- * is malformed
- *
- * @deprecated Use parameterless constructor and {@link AuthScheme#processChallenge(String)}
- * method
- */
- public DigestScheme(final String challenge)
- throws MalformedChallengeException {
- super(challenge);
- this.complete = true;
- }
-
- /**
- * Processes the Digest challenge.
- *
- * @param challenge the challenge string
- *
- * @throws MalformedChallengeException is thrown if the authentication challenge
- * is malformed
- *
- * @since 3.0
- */
- public void processChallenge(final String challenge)
- throws MalformedChallengeException {
- super.processChallenge(challenge);
-
- if (getParameter("realm") == null) {
- throw new MalformedChallengeException("missing realm in challange");
- }
- if (getParameter("nonce") == null) {
- throw new MalformedChallengeException("missing nonce in challange");
- }
-
- boolean unsupportedQop = false;
- // qop parsing
- String qop = getParameter("qop");
- if (qop != null) {
- StringTokenizer tok = new StringTokenizer(qop,",");
- while (tok.hasMoreTokens()) {
- String variant = tok.nextToken().trim();
- if (variant.equals("auth")) {
- qopVariant = QOP_AUTH;
- break; //that's our favourite, because auth-int is unsupported
- } else if (variant.equals("auth-int")) {
- qopVariant = QOP_AUTH_INT;
- } else {
- unsupportedQop = true;
- LOG.warn("Unsupported qop detected: "+ variant);
- }
- }
- }
-
- if (unsupportedQop && (qopVariant == QOP_MISSING)) {
- throw new MalformedChallengeException("None of the qop methods is supported");
- }
-
- cnonce = createCnonce();
- this.complete = true;
- }
-
- /**
- * Tests if the Digest authentication process has been completed.
- *
- * @return <tt>true</tt> if Digest authorization has been processed,
- * <tt>false</tt> otherwise.
- *
- * @since 3.0
- */
- public boolean isComplete() {
- String s = getParameter("stale");
- if ("true".equalsIgnoreCase(s)) {
- return false;
- } else {
- return this.complete;
- }
- }
-
- /**
- * Returns textual designation of the digest authentication scheme.
- *
- * @return <code>digest</code>
- */
- public String getSchemeName() {
- return "digest";
- }
-
- /**
- * Returns <tt>false</tt>. Digest authentication scheme is request based.
- *
- * @return <tt>false</tt>.
- *
- * @since 3.0
- */
- public boolean isConnectionBased() {
- return false;
- }
-
- /**
- * Produces a digest authorization string for the given set of
- * {@link Credentials}, method name and URI.
- *
- * @param credentials A set of credentials to be used for athentication
- * @param method the name of the method that requires authorization.
- * @param uri The URI for which authorization is needed.
- *
- * @throws InvalidCredentialsException if authentication credentials
- * are not valid or not applicable for this authentication scheme
- * @throws AuthenticationException if authorization string cannot
- * be generated due to an authentication failure
- *
- * @return a digest authorization string
- *
- * @see org.apache.commons.httpclient.HttpMethod#getName()
- * @see org.apache.commons.httpclient.HttpMethod#getPath()
- *
- * @deprecated Use {@link #authenticate(Credentials, HttpMethod)}
- */
- public String authenticate(Credentials credentials, String method, String uri)
- throws AuthenticationException {
-
- LOG.trace("enter DigestScheme.authenticate(Credentials, String, String)");
-
- UsernamePasswordCredentials usernamepassword = null;
- try {
- usernamepassword = (UsernamePasswordCredentials) credentials;
- } catch (ClassCastException e) {
- throw new InvalidCredentialsException(
- "Credentials cannot be used for digest authentication: "
- + credentials.getClass().getName());
- }
- this.getParameters().put("methodname", method);
- this.getParameters().put("uri", uri);
- String digest = createDigest(
- usernamepassword.getUserName(),
- usernamepassword.getPassword(),
- "ISO-8859-1");
-
- return "Digest " + createDigestHeader(usernamepassword.getUserName(), digest);
- }
-
- /**
- * Produces a digest authorization string for the given set of
- * {@link Credentials}, method name and URI.
- *
- * @param credentials A set of credentials to be used for athentication
- * @param method The method being authenticated
- *
- * @throws InvalidCredentialsException if authentication credentials
- * are not valid or not applicable for this authentication scheme
- * @throws AuthenticationException if authorization string cannot
- * be generated due to an authentication failure
- *
- * @return a digest authorization string
- *
- * @since 3.0
- */
- public String authenticate(Credentials credentials, HttpMethod method)
- throws AuthenticationException {
-
- LOG.trace("enter DigestScheme.authenticate(Credentials, HttpMethod)");
-
- UsernamePasswordCredentials usernamepassword = null;
- try {
- usernamepassword = (UsernamePasswordCredentials) credentials;
- } catch (ClassCastException e) {
- throw new InvalidCredentialsException(
- "Credentials cannot be used for digest authentication: "
- + credentials.getClass().getName());
- }
- this.getParameters().put("methodname", method.getName());
- this.getParameters().put("uri", method.getPath());
- String digest = createDigest(
- usernamepassword.getUserName(),
- usernamepassword.getPassword(),
- method.getParams().getCredentialCharset());
-
- return "Digest " + createDigestHeader(usernamepassword.getUserName(),
- digest);
- }
-
- /**
- * Creates an MD5 response digest.
- *
- * @param uname Username
- * @param pwd Password
- * @param charset The credential charset
- *
- * @return The created digest as string. This will be the response tag's
- * value in the Authentication HTTP header.
- * @throws AuthenticationException when MD5 is an unsupported algorithm
- */
- private String createDigest(String uname, String pwd, String charset) throws AuthenticationException {
-
- LOG.trace("enter DigestScheme.createDigest(String, String, Map)");
-
- final String digAlg = "MD5";
-
- // Collecting required tokens
- String uri = getParameter("uri");
- String realm = getParameter("realm");
- String nonce = getParameter("nonce");
- String qop = getParameter("qop");
- String method = getParameter("methodname");
- String algorithm = getParameter("algorithm");
-
- // If an algorithm is not specified, default to MD5.
- if(algorithm == null) {
- algorithm="MD5";
- }
-
- if (qopVariant == QOP_AUTH_INT) {
- LOG.warn("qop=auth-int is not supported");
- throw new AuthenticationException(
- "Unsupported qop in HTTP Digest authentication");
- }
-
- MessageDigest md5Helper;
-
- try {
- md5Helper = MessageDigest.getInstance(digAlg);
- } catch (Exception e) {
- throw new AuthenticationException(
- "Unsupported algorithm in HTTP Digest authentication: "
- + digAlg);
- }
-
- // 3.2.2.2: Calculating digest
- StringBuffer tmp = new StringBuffer(uname.length() + realm.length() + pwd.length() + 2);
- tmp.append(uname);
- tmp.append(':');
- tmp.append(realm);
- tmp.append(':');
- tmp.append(pwd);
- // unq(username-value) ":" unq(realm-value) ":" passwd
- String a1 = tmp.toString();
- //a1 is suitable for MD5 algorithm
- if(algorithm.equals("MD5-sess")) {
- // H( unq(username-value) ":" unq(realm-value) ":" passwd )
- // ":" unq(nonce-value)
- // ":" unq(cnonce-value)
-
- String tmp2=encode(md5Helper.digest(EncodingUtil.getBytes(a1, charset)));
- StringBuffer tmp3 = new StringBuffer(tmp2.length() + nonce.length() + cnonce.length() + 2);
- tmp3.append(tmp2);
- tmp3.append(':');
- tmp3.append(nonce);
- tmp3.append(':');
- tmp3.append(cnonce);
- a1 = tmp3.toString();
- } else if(!algorithm.equals("MD5")) {
- LOG.warn("Unhandled algorithm " + algorithm + " requested");
- }
- String md5a1 = encode(md5Helper.digest(EncodingUtil.getBytes(a1, charset)));
-
- String a2 = null;
- if (qopVariant == QOP_AUTH_INT) {
- LOG.error("Unhandled qop auth-int");
- //we do not have access to the entity-body or its hash
- //TODO: add Method ":" digest-uri-value ":" H(entity-body)
- } else {
- a2 = method + ":" + uri;
- }
- String md5a2 = encode(md5Helper.digest(EncodingUtil.getAsciiBytes(a2)));
-
- // 3.2.2.1
- String serverDigestValue;
- if (qopVariant == QOP_MISSING) {
- LOG.debug("Using null qop method");
- StringBuffer tmp2 = new StringBuffer(md5a1.length() + nonce.length() + md5a2.length());
- tmp2.append(md5a1);
- tmp2.append(':');
- tmp2.append(nonce);
- tmp2.append(':');
- tmp2.append(md5a2);
- serverDigestValue = tmp2.toString();
- } else {
- LOG.debug("Using qop method " + qop);
- String qopOption = getQopVariantString();
- StringBuffer tmp2 = new StringBuffer(md5a1.length() + nonce.length()
- + NC.length() + cnonce.length() + qopOption.length() + md5a2.length() + 5);
- tmp2.append(md5a1);
- tmp2.append(':');
- tmp2.append(nonce);
- tmp2.append(':');
- tmp2.append(NC);
- tmp2.append(':');
- tmp2.append(cnonce);
- tmp2.append(':');
- tmp2.append(qopOption);
- tmp2.append(':');
- tmp2.append(md5a2);
- serverDigestValue = tmp2.toString();
- }
-
- String serverDigest =
- encode(md5Helper.digest(EncodingUtil.getAsciiBytes(serverDigestValue)));
-
- return serverDigest;
- }
-
- /**
- * Creates digest-response header as defined in RFC2617.
- *
- * @param uname Username
- * @param digest The response tag's value as String.
- *
- * @return The digest-response as String.
- */
- private String createDigestHeader(String uname, String digest) throws AuthenticationException {
-
- LOG.trace("enter DigestScheme.createDigestHeader(String, Map, "
- + "String)");
-
- StringBuffer sb = new StringBuffer();
- String uri = getParameter("uri");
- String realm = getParameter("realm");
- String nonce = getParameter("nonce");
- String nc = getParameter("nc");
- String opaque = getParameter("opaque");
- String response = digest;
- String qop = getParameter("qop");
- String algorithm = getParameter("algorithm");
-
- sb.append("username=\"" + uname + "\"")
- .append(", realm=\"" + realm + "\"")
- .append(", nonce=\"" + nonce + "\"").append(", uri=\"" + uri + "\"")
- .append(", response=\"" + response + "\"");
- if (qopVariant != QOP_MISSING) {
- sb.append(", qop=\"" + getQopVariantString() + "\"")
- .append(", nc="+ NC)
- .append(", cnonce=\"" + cnonce + "\"");
- }
- if (algorithm != null) {
- sb.append(", algorithm=\"" + algorithm + "\"");
- }
- if (opaque != null) {
- sb.append(", opaque=\"" + opaque + "\"");
- }
- return sb.toString();
- }
-
- private String getQopVariantString() {
- String qopOption;
- if (qopVariant == QOP_AUTH_INT) {
- qopOption = "auth-int";
- } else {
- qopOption = "auth";
- }
- return qopOption;
- }
-
- /**
- * Encodes the 128 bit (16 bytes) MD5 digest into a 32 characters long
- * <CODE>String</CODE> according to RFC 2617.
- *
- * @param binaryData array containing the digest
- * @return encoded MD5, or <CODE>null</CODE> if encoding failed
- */
- private static String encode(byte[] binaryData) {
- LOG.trace("enter DigestScheme.encode(byte[])");
-
- if (binaryData.length != 16) {
- return null;
- }
-
- char[] buffer = new char[32];
- for (int i = 0; i < 16; i++) {
- int low = (int) (binaryData[i] & 0x0f);
- int high = (int) ((binaryData[i] & 0xf0) >> 4);
- buffer[i * 2] = HEXADECIMAL[high];
- buffer[(i * 2) + 1] = HEXADECIMAL[low];
- }
-
- return new String(buffer);
- }
-
-
- /**
- * Creates a random cnonce value based on the current time.
- *
- * @return The cnonce value as String.
- * @throws HttpClientError if MD5 algorithm is not supported.
- */
- public static String createCnonce() {
- LOG.trace("enter DigestScheme.createCnonce()");
-
- String cnonce;
- final String digAlg = "MD5";
- MessageDigest md5Helper;
-
- try {
- md5Helper = MessageDigest.getInstance(digAlg);
- } catch (NoSuchAlgorithmException e) {
- throw new HttpClientError(
- "Unsupported algorithm in HTTP Digest authentication: "
- + digAlg);
- }
-
- cnonce = Long.toString(System.currentTimeMillis());
- cnonce = encode(md5Helper.digest(EncodingUtil.getAsciiBytes(cnonce)));
-
- return cnonce;
- }
- }