eXept Software AG Logo

Smalltalk/X Webserver

Documentation of class 'Authentication::DigestAuthenticator':

Home

Documentation
www.exept.de
Everywhere
for:
[back]

Class: DigestAuthenticator (in Authentication)


Inheritance:

   Object
   |
   +--Authentication::Authenticator
      |
      +--Authentication::DigestAuthenticator

Package:
stx:goodies/authentication
Category:
Net-Authentication
Version:
rev: 1.14 date: 2019/02/06 14:24:33
user: stefan
file: Authentication__DigestAuthenticator.st directory: goodies/authentication
module: stx stc-classLibrary: authentication
Author:
Stefan Vogel (stefan@zwerg)

Description:


This class implements Digest Authentication as defined in RFC 2617.


[instance variables:]
    username realm nonce uri opaque qop algorithm nc cnonce response    
            String      credential data supplied by the client

    requestMethod       String      the type of request that should be authenticated (for HTTP: 'GET', 'PUT', 'POST')
    timestamp           Timestamp   the timestamp, when the challenge has been generated
    bodyData            String      the data of the body, used when quop=auth-int.

[class variables:]


Related information:



Class protocol:

default values
o  defaultReplayTimer
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If <= 0, no checking will be done.

protocol
o  generateChallengeForRealm: aRealm
generate a challenge for a client.
The challenge is Base64(timestamp:Hash(random stuff))

usage example(s):

        self generateChallengeForRealm:'realm'

o  mechanismName
answer the name of the mechanism as known in the protocols

o  newAuthenticationData
answer the authentication data used by this authenticator

o  newForChallenge: aChallengeString
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"


Instance protocol:

accessing
o  algorithm

o  algorithm: something

o  bodyData: aStringOrByteArary
pass the body data.
some authenticators need this (Digest with qop=auth-int)

o  cnonce

o  cnonce: something

o  nc

o  nc: something

o  nonce

o  nonce: something

o  opaque

o  opaque: something

o  qop

o  qop: something

o  realm

o  realm: something

o  requestMethod

o  requestMethod: something

o  response

o  response: something

o  uri

o  uri: something

o  username

o  username: something

initialization
o  initializeWith: authString
initialize the algorithm with the response parameters:

private
o  generateHashFor: authenticationData
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  parseChallenge: aChallengeString
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"

protocol
o  authenticateWith: authenticationData
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  authenticateWithUserResolver: aOneArgBlock
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  generateResponseForChallenge: aChallengeString user: userNameString password: password uri: anUriString method: requestMethodArg
<<END
self new
generateHashForChallenge:'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
user:'stefan'
password:'secret'
uri:'/data'
method:'GET'
END"

o  generateStaleChallenge
generate a challenge for a client.
This is sent when the credentials are stale, i.e. the user has already
supplied valid username/password and will not be asked again.

protocol parameters
o  replayTimer
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If < 0, no checking will be done

queries
o  isValidUri: uriString
answer true if the authenticator is valid for the URI in uriString.
Mozilla and IE (up to 6.0) differ here: Mozilla sends the base URI without parameters,
where IE sends the URI with all parameters.

So we declare any URI that starts with the authenticated URI as valid

testing
o  isDigest


Private classes:

    DigestAuthenticationData


ST/X 7.2.0.0; WebServer 1.670 at bd0aa1f87cdd.unknown:8081; Fri, 07 Oct 2022 19:26:58 GMT