Class DigestAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to RFC 2617 (which superseded RFC 2069, although this filter support clients that implement either RFC 2617 or RFC 2069).
This filter can be used to provide Digest authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).
This Digest implementation has been designed to avoid needing to store session state
between invocations. All session management information is stored in the "nonce" that
is sent to the client by the DigestAuthenticationEntryPoint
.
If authentication is successful, the resulting
Authentication
object will be
placed into the SecurityContextHolder
.
If authentication fails, an
AuthenticationEntryPoint
implementation is called. This must always be
DigestAuthenticationEntryPoint
, which will prompt the user to authenticate
again via Digest authentication.
Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest authentication over Basic authentication, including commentary on the limitations that it still imposes.
- Since:
- 1.0.0
-
Field Summary
Modifier and TypeFieldDescriptionprotected org.springframework.context.support.MessageSourceAccessor
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
void
doFilter
(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) protected final DigestAuthenticationEntryPoint
org.springframework.security.core.userdetails.UserCache
org.springframework.security.core.userdetails.UserDetailsService
void
setAuthenticationDetailsSource
(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) void
setAuthenticationEntryPoint
(DigestAuthenticationEntryPoint authenticationEntryPoint) void
setCreateAuthenticatedToken
(boolean createAuthenticatedToken) If you set this property, the Authentication object, which is created after the successful digest authentication will be marked as authenticated and filled with the authorities loaded by the UserDetailsService.void
setMessageSource
(org.springframework.context.MessageSource messageSource) void
setPasswordAlreadyEncoded
(boolean passwordAlreadyEncoded) void
setSecurityContextHolderStrategy
(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setSecurityContextRepository
(SecurityContextRepository securityContextRepository) Sets theSecurityContextRepository
to save theSecurityContext
on authentication success.void
setUserCache
(org.springframework.security.core.userdetails.UserCache userCache) void
setUserDetailsService
(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
messages
protected org.springframework.context.support.MessageSourceAccessor messages
-
-
Constructor Details
-
DigestAuthenticationFilter
public DigestAuthenticationFilter()
-
-
Method Details
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Overrides:
afterPropertiesSet
in classorg.springframework.web.filter.GenericFilterBean
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException - Specified by:
doFilter
in interfacejakarta.servlet.Filter
- Throws:
IOException
jakarta.servlet.ServletException
-
getAuthenticationEntryPoint
-
getUserCache
public org.springframework.security.core.userdetails.UserCache getUserCache() -
getUserDetailsService
public org.springframework.security.core.userdetails.UserDetailsService getUserDetailsService() -
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) -
setAuthenticationEntryPoint
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource) - Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-
setPasswordAlreadyEncoded
public void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded) -
setUserCache
public void setUserCache(org.springframework.security.core.userdetails.UserCache userCache) -
setUserDetailsService
public void setUserDetailsService(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) -
setCreateAuthenticatedToken
public void setCreateAuthenticatedToken(boolean createAuthenticatedToken) If you set this property, the Authentication object, which is created after the successful digest authentication will be marked as authenticated and filled with the authorities loaded by the UserDetailsService. It therefore will not be re-authenticated by your AuthenticationProvider. This means, that only the password of the user is checked, but not the flags like isEnabled() or isAccountNonExpired(). You will save some time by enabling this flag, as otherwise your UserDetailsService will be called twice. A more secure option would be to introduce a cache around your UserDetailsService, but if you don't use these flags, you can also safely enable this option.- Parameters:
createAuthenticatedToken
- default is false
-
setSecurityContextRepository
Sets theSecurityContextRepository
to save theSecurityContext
on authentication success. The default action is not to save theSecurityContext
.- Parameters:
securityContextRepository
- theSecurityContextRepository
to use. Cannot be null.
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-