Почетна Преглед Помоћ
Регистрација Пријавите се
github
/
spring-security
огледало од https://github.com/spring-projects/spring-security
2
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: 11616a1d78
Гране Ознаке
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
authentication
/
passwords
/
digest.adoc

digest.adoc 4.1 KB
Историја Датотека

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. [[servlet-authentication-digest]]
    2. 

  2. = Digest Authentication
    3. 

  3. 

  4. This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
    5. 

  5. 

  6. [WARNING]
    7. 

  7. ====
    8. 

  8. You should not use Digest Authentication in modern applications, because it is not considered to be secure.
    9. 

  9. The most obvious problem is that you must store your passwords in plaintext or an encrypted or MD5 format.
    10. 

  10. All of these storage formats are considered insecure.
    11. 

  11. Instead, you should store credentials by using a one way adaptive password hash (bCrypt, PBKDF2, SCrypt, and others), which is not supported by Digest Authentication.
    12. 

  12. ====
    13. 

  13. 

  14. Digest Authentication tries to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.
    15. 

  15. Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].
    16. 

  16. 

  17. The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].
    18. 

  18. Most user agents implement RFC 2617.
    19. 

  19. Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
    20. 

  20. Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (no TLS or HTTPS) and wish to maximize security of the authentication process.
    21. 

  21. However, everyone should use xref:features/exploits/http.adoc#http[HTTPS].
    22. 

  22. 

  23. Central to Digest Authentication is a "`nonce`".
    24. 

  24. This is a value the server generates.
    25. 

  25. Spring Security's nonce adopts the following format:
    26. 

  26. 

  27. .Digest Syntax
    28. 

  28. [source,txt]
    29. 

  29. ----
    30. 

  30. base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
    31. 

  31. expirationTime:   The date and time when the nonce expires, expressed in milliseconds
    32. 

  32. key:              A private key to prevent modification of the nonce token
    33. 

  33. ----
    34. 

  34. 

  35. You need to ensure that you xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`.
    36. 

  36. (See the javadoc:org.springframework.security.crypto.password.NoOpPasswordEncoder[] class in the Javadoc.)
    37. 

  37. The following provides an example of configuring Digest Authentication with Java Configuration:
    38. 

  38. 

  39. .Digest Authentication
    40. 

  40. [tabs]
    41. 

  41. ======
    42. 

  42. Java::
    43. 

  43. +
    44. 

  44. [source,java,role="primary"]
    45. 

  45. ----
    46. 

  46. @Autowired
    47. 

  47. UserDetailsService userDetailsService;
    48. 

  48. 

  49. DigestAuthenticationEntryPoint authenticationEntryPoint() {
    50. 

  50. 	DigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();
    51. 

  51. 	result.setRealmName("My App Realm");
    52. 

  52. 	result.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");
    53. 

  53. 	return result;
    54. 

  54. }
    55. 

  55. 

  56. DigestAuthenticationFilter digestAuthenticationFilter() {
    57. 

  57. 	DigestAuthenticationFilter result = new DigestAuthenticationFilter();
    58. 

  58. 	result.setUserDetailsService(userDetailsService);
    59. 

  59. 	result.setAuthenticationEntryPoint(authenticationEntryPoint());
    60. 

  60. 	return result;
    61. 

  61. }
    62. 

  62. 

  63. @Bean
    64. 

  64. public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    65. 

  65. 	http
    66. 

  66. 		// ...
    67. 

  67. 		.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
    68. 

  68. 		.addFilter(digestAuthenticationFilter());
    69. 

  69. 	return http.build();
    70. 

  70. }
    71. 

  71. ----
    72. 

  72. 

  73. XML::
    74. 

  74. +
    75. 

  75. [source,xml,role="secondary"]
    76. 

  76. ----
    77. 

  77. <b:bean id="digestFilter"
    78. 

  78.         class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"
    79. 

  79.     p:userDetailsService-ref="jdbcDaoImpl"
    80. 

  80.     p:authenticationEntryPoint-ref="digestEntryPoint"
    81. 

  81. />
    82. 

  82. 

  83. <b:bean id="digestEntryPoint"
    84. 

  84.         class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"
    85. 

  85.     p:realmName="My App Realm"
    86. 

  86. 	p:key="3028472b-da34-4501-bfd8-a355c42bdf92"
    87. 

  87. />
    88. 

  88. 

  89. <http>
    90. 

  90. 	<!-- ... -->
    91. 

  91. 	<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>
    92. 

  92. </http>
    93. 

  93. ----
    94. 

  94. ======
    95.