Changeset 1532

Timestamp:

2010-05-11 11:42:49 (3 years ago)

Author:

jgou

Message:

fix digest authentication (was broken due to restlet upgrade) ; see #317

Location:

trunk/modules/kauri-security

Files:

• kauri-security-auth-methods/src/main/java/org/kauriproject/security/providers/DigestAuthenticationMethod.java (modified) (4 diffs)
• kauri-security-impl/src/test/java/org/kauriproject/security/test/SecurityTest.java (modified) (7 diffs)

trunk/modules/kauri-security/kauri-security-auth-methods/src/main/java/org/kauriproject/security/providers/DigestAuthenticationMethod.java

@@ -30 +30 @@
 import org.restlet.data.ChallengeResponse;
 import org.restlet.data.ChallengeScheme;
-import org.restlet.data.Parameter;
 import org.restlet.data.Status;
 import org.restlet.ext.crypto.internal.CryptoUtils;
-import org.restlet.util.Series;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
@@ -83 +81 @@
         if (!cr.getScheme().equals(ChallengeScheme.HTTP_DIGEST)) return null;
             
-        final Series<Parameter> credentials = cr.getParameters();
-        final String username = credentials.getFirstValue("username");
-        final String crealm = credentials.getFirstValue("realm");
-        final String nonce = credentials.getFirstValue("nonce");
-        final String uri = credentials.getFirstValue("uri");
-        final String cresponse = credentials.getFirstValue("response");
-        final String qop = credentials.getFirstValue("qop");
-        final String nc = credentials.getFirstValue("nc");
-        final String cnonce = credentials.getFirstValue("cnonce");
-
+        final String username = cr.getIdentifier();
+        final String crealm = cr.getRealm();
+        final String nonce = cr.getServerNonce();
+        final String uri = cr.getDigestRef().toString();
+        final String cresponse = new String(cr.getSecret());
+        final String qop = cr.getQuality();
+        final String nc = cr.getServerNounceCountAsHex();
+        final String cnonce = cr.getClientNonce();
+        
 //        if (!isNonceValid(nonce)) {
 //            throw new MalformedAuthenticationRequestException("The supplied nonce is invalid");
@@ -98 +95 @@
 
         // Check all required parameters were supplied (ie RFC 2069)
-        if ((username == null) || (realm == null) || (nonce == null) || (uri == null) || (response == null)) {
+        if ((username == null) || (realm == null) || (nonce == null) || (uri == null) || (cresponse == null)) {
             throw new MalformedAuthenticationRequestException("Missing parameter in Authenticate header");
         }
@@ -236 +233 @@
         // there is only one challenge scheme, that of the Guard.
         ChallengeRequest challengeRequest = new ChallengeRequest(ChallengeScheme.HTTP_DIGEST, realm.getName());
+        
+        challengeRequest.setServerNonce(CryptoUtils.makeNonce(getServerKey()));
+
+        // indicate stale nonce was found in challenge response
+        challengeRequest.setStale(response.getAttributes().containsKey("stale"));
 
         response.setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
         response.setChallengeRequest(challengeRequest);
-
-        final Series<Parameter> parameters = challengeRequest
-                .getParameters();
-
-        //TODO: domain?
-        parameters.add("domain", domain);
-
-        parameters.add("nonce", CryptoUtils.makeNonce(getServerKey()));
-
-        if (response.getAttributes().containsKey("stale")) {
-            // indicate stale nonce was found in challenge response
-            parameters.add("stale", "true");
-        }
-        
     }
 

trunk/modules/kauri-security/kauri-security-impl/src/test/java/org/kauriproject/security/test/SecurityTest.java

@@ -114 +114 @@
 
         //DIGEST authentication
-        /*
         doTestUnauthenticated(externalPrefix, "/test", externalSuffix, 200);
         doTestUnauthenticated(externalPrefix, "/digest/user", externalSuffix, 401);
@@ -126 +125 @@
         doTestDigest(externalPrefix, "/digest/user", externalSuffix, ADMIN, ADMINPW, 403);
         doTestDigest(externalPrefix, "/digest/admin", externalSuffix, ADMIN, ADMINPW, 200);
-        */
 
         //FORM-based authentication
@@ -164 +162 @@
         // basic auth does not suffice for strength 2, we should get a new challenge
         doTestBasic(externalPrefix, "/strengths/strength2", externalSuffix, USER, USERPW, 401);
-//        doTestDigest(externalPrefix, "/strengths/strength2", externalSuffix, USER, USERPW, 200);
+        doTestDigest(externalPrefix, "/strengths/strength2", externalSuffix, USER, USERPW, 200);
         // there's no method with strength 3
         doTestBasic(externalPrefix, "/strengths/strength3", externalSuffix, USER, USERPW, 500);
@@ -198 +196 @@
 
         //DIGEST authentication
-        /*
         doTestDigest(internalPrefix, "/test", internalSuffix, USER, USERPW, 200);
         doTestDigest(internalPrefix, "/digest/user", internalSuffix, USER, USERPW, 200);
@@ -206 +203 @@
         doTestDigest(internalPrefix, "/digest/user", internalSuffix, ADMIN, ADMINPW, 403);
         doTestDigest(internalPrefix, "/digest/admin", internalSuffix, ADMIN, ADMINPW, 200);
-        */
 
     }
@@ -278 +274 @@
         // first request:
         Request request = createRequest(path);
-        Reference ref = request.getResourceRef();
         Response response = cd.handle(request);
 
@@ -291 +286 @@
         }
         
-        ChallengeRequest challengeRequest = response.getChallengeRequests().get(0);
-        
         // second request:
-        request = new Request(Method.GET, path);
-
-        ChallengeResponse challengeResponse = new ChallengeResponse(ChallengeScheme.HTTP_DIGEST, user, password);
-        Series<Parameter> cReqParams = challengeRequest.getParameters();
-        Form form = new Form();
-        form.add("username", user);
-        form.add("uri", ref.getPath());
-
-        // Retrieve values sent by the server
-        form.add(cReqParams.getFirst("nonce"));
-        form.add(cReqParams.getFirst("realm"));
-        form.add(cReqParams.getFirst("domain"));
-        form.add(cReqParams.getFirst("algorithm"));
-        form.add(cReqParams.getFirst("qop")); 
-        form.add("cnonce", Long.toHexString((long)(Math.random()*10000)));
-        form.add("nc", "1");
-        
-        String a1 = DigestUtils.toMd5(form.getFirstValue("username") + ":" + form.getFirstValue("realm") + ":" + password);
-        String a2 = DigestUtils.toMd5(request.getMethod() + ":" + form.getFirstValue("uri"));
-        
-        form.add("response", DigestUtils.toMd5(a1 + ":" + form.getFirstValue("nonce") + ":" + form.getFirstValue("nc") + ":" + form.getFirstValue("cnonce") + ":" + form.getFirstValue("qop") + ":" + a2));
-
-        //challengeResponse.setCredentialComponents(form);
-        challengeResponse.setParameters(form);
+        
+        // Complete the challengeResponse object according to the server's data
+        // 1- Loop over the challengeRequest objects sent by the server.
+        ChallengeRequest c1 = null;
+        for (ChallengeRequest challengeRequest : response.getChallengeRequests()) {
+            if (ChallengeScheme.HTTP_DIGEST.equals(challengeRequest.getScheme())) {
+                c1 = challengeRequest;
+                break;
+            }
+        }
+
+        // 2- Create the Challenge response used by the client to authenticate
+        // its requests.
+        ChallengeResponse challengeResponse = new ChallengeResponse(c1, response, user, password);
+        //resource.setChallengeResponse(challengeResponse);
         request.setChallengeResponse(challengeResponse);