eXept Software AG Logo

Smalltalk/X Webserver

Documentation of class 'Authentication::DigestAuthenticator':

Home

Documentation
www.exept.de
Everywhere
for:
 [back]

Class: DigestAuthenticator (in Authentication)

Inheritance:

   Object
   |
   +--Authentication::Authenticator
      |
      +--Authentication::DigestAuthenticator
Package:
stx:goodies/authentication
Category:
Net-Authentication
Version:
rev: 1.16 date: 2021/01/20 12:54:28
user: cg
file: Authentication__DigestAuthenticator.st directory: goodies/authentication
module: stx stc-classLibrary: authentication

Description:


This class implements Digest Authentication as defined in RFC 2617.


[instance variables:]
    username realm nonce uri opaque qop algorithm nc cnonce response    
            String      credential data supplied by the client

    requestMethod       String      the type of request that should be authenticated (for HTTP: 'GET', 'PUT', 'POST')
    timestamp           Timestamp   the timestamp, when the challenge has been generated
    bodyData            String      the data of the body, used when quop=auth-int.

[class variables:]


copyright
COPYRIGHT (c) 2006 by eXept Software AG
             All Rights Reserved

This software is furnished under a license and may be used
only in accordance with the terms of that license and with the
inclusion of the above copyright notice.   This software may not
be provided or otherwise made available to, or used by, any
other person.  No title to or ownership of the software is
hereby transferred.

Class protocol:

default values
o  defaultReplayTimer
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If <= 0, no checking will be done.

protocol
o  generateChallengeForRealm: aRealm
generate a challenge for a client.
The challenge is Base64(timestamp:Hash(random stuff))

Usage example(s): 

        self generateChallengeForRealm:'realm'

o  mechanismName
answer the name of the mechanism as known in the protocols

o  newAuthenticationData
answer the authentication data used by this authenticator

o  newForChallenge: aChallengeString
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"

Instance protocol:

accessing
o  algorithm

o  algorithm: something

o  bodyData: aStringOrByteArary
pass the body data.
some authenticators need this (Digest with qop=auth-int)

o  cnonce

o  cnonce: something

o  nc

o  nc: something

o  nonce

o  nonce: something

o  opaque

o  opaque: something

o  qop

o  qop: something

o  realm

o  realm: something

o  requestMethod

o  requestMethod: something

o  response

o  response: something

o  uri

o  uri: something

o  username

o  username: something

initialization
o  initializeWith: authString
initialize the algorithm with the response parameters:

private
o  generateHashFor: authenticationData
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  parseChallenge: aChallengeString
<<END
client got a challenge from server:
'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
Generate a response.
END"

protocol
o  authenticateWith: authenticationData
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  authenticateWithUserResolver: aOneArgBlock
authenticate - resolve the username via aOneArgBlock.
Raise BadCredentialsError if authentication fails and
ExpiredCredentialsError if the nonce used is too old (possible replay)

o  generateResponseForChallenge: aChallengeString user: userNameString password: password uri: anUriString method: requestMethodArg
<<END
self new
generateHashForChallenge:'Digest realm="expecco", qop="auth,auth-int", nonce="BEtoVFxia3jhgEtW7Pyv"'
user:'stefan'
password:'secret'
uri:'/data'
method:'GET'
END"

o  generateStaleChallenge
generate a challenge for a client.
This is sent when the credentials are stale, i.e. the user has already
supplied valid username/password and will not be asked again.

protocol parameters
o  replayTimer
answer the time in seconds, until the nonce value used to generate
a response times out.
So replay attacks are only possible within this time.
If < 0, no checking will be done

queries
o  isValidUri: uriString
answer true if the authenticator is valid for the URI in uriString.
Mozilla and IE (up to 6.0) differ here: Mozilla sends the base URI without parameters,
where IE sends the URI with all parameters.

So we declare any URI that starts with the authenticated URI as valid

testing
o  isDigest

Private classes:

    DigestAuthenticationData

ST/X 7.7.0.0; WebServer 1.702 at 20f6060372b9.unknown:8081; Mon, 18 Nov 2024 04:15:25 GMT