|
Class: DigestAuthenticator (in Authentication)
Object
|
+--Authentication::Authenticator
|
+--Authentication::DigestAuthenticator
- Package:
- stx:goodies/authentication
- Category:
- Net-Authentication
- Version:
- rev:
1.14
date: 2019/02/06 14:24:33
- user: stefan
- file: Authentication__DigestAuthenticator.st directory: goodies/authentication
- module: stx stc-classLibrary: authentication
- Author:
- Stefan Vogel (stefan@zwerg)
This class implements Digest Authentication as defined in RFC 2617.
[instance variables:]
username realm nonce uri opaque qop algorithm nc cnonce response
String credential data supplied by the client
requestMethod String the type of request that should be authenticated (for HTTP: 'GET', 'PUT', 'POST')
timestamp Timestamp the timestamp, when the challenge has been generated
bodyData String the data of the body, used when quop=auth-int.
[class variables:]
default values
-
defaultReplayTimer
-
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If <= 0, no checking will be done.
protocol
-
generateChallengeForRealm: aRealm
-
generate a challenge for a client.
The challenge is Base64(timestamp:Hash(random stuff))
usage example(s):
self generateChallengeForRealm:'realm'
|
-
mechanismName
-
answer the name of the mechanism as known in the protocols
-
newAuthenticationData
-
answer the authentication data used by this authenticator
-
newForChallenge: aChallengeString
-
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"
accessing
-
algorithm
-
-
algorithm: something
-
-
bodyData: aStringOrByteArary
-
pass the body data.
some authenticators need this (Digest with qop=auth-int)
-
cnonce
-
-
cnonce: something
-
-
nc
-
-
nc: something
-
-
nonce
-
-
nonce: something
-
-
opaque
-
-
opaque: something
-
-
qop
-
-
qop: something
-
-
realm
-
-
realm: something
-
-
requestMethod
-
-
requestMethod: something
-
-
response
-
-
response: something
-
-
uri
-
-
uri: something
-
-
username
-
-
username: something
-
initialization
-
initializeWith: authString
-
initialize the algorithm with the response parameters:
private
-
generateHashFor: authenticationData
-
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)
-
parseChallenge: aChallengeString
-
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"
protocol
-
authenticateWith: authenticationData
-
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)
-
authenticateWithUserResolver: aOneArgBlock
-
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)
-
generateResponseForChallenge: aChallengeString user: userNameString password: password uri: anUriString method: requestMethodArg
-
<<END
self new
generateHashForChallenge:'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
user:'stefan'
password:'secret'
uri:'/data'
method:'GET'
END"
-
generateStaleChallenge
-
generate a challenge for a client.
This is sent when the credentials are stale, i.e. the user has already
supplied valid username/password and will not be asked again.
protocol parameters
-
replayTimer
-
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If < 0, no checking will be done
queries
-
isValidUri: uriString
-
answer true if the authenticator is valid for the URI in uriString.
Mozilla and IE (up to 6.0) differ here: Mozilla sends the base URI without parameters,
where IE sends the URI with all parameters.
So we declare any URI that starts with the authenticated URI as valid
testing
-
isDigest
-
DigestAuthenticationData
|