Spring Security Digest Auth using JavaConfig Example

6
votes

How do you configure Spring 4.0 and Spring Security (3.2.0) for digest authentication exclusively using javaconfig (no XML)? I am using the below configuration class, however all requests are getting denied with HTTP 401 and "Nonce should have yielded two tokens but was (... message just stops there)".

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfigurationDigest extends WebSecurityConfigurerAdapter
{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
    auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http.authorizeRequests().antMatchers("/**").authenticated().and().addFilter(digestAuthenticationFilter(digestEntryPoint()));
}

@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception
{
    return super.userDetailsServiceBean();
}

public DigestAuthenticationFilter digestAuthenticationFilter(DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) throws Exception
{
    DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
    digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
    digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
    return digestAuthenticationFilter;
}

@Bean
public DigestAuthenticationEntryPoint digestEntryPoint()
{
    DigestAuthenticationEntryPoint digestAuthenticationEntryPoint = new DigestAuthenticationEntryPoint();
    digestAuthenticationEntryPoint.setKey("mykey");
    digestAuthenticationEntryPoint.setRealmName("myrealm");
    return digestAuthenticationEntryPoint;
}
}

I am attempting to authorize on the client side by including the header:

Authorization: Digest username="user", realm="myrealm", nonce="", uri="/service?param=98", response="fcd46faf42a583499d4e7f0371171ef2", opaque=""

I am able to access the intended services if I revert this class to a HttpBasic based configuration. Is the problem with my config or with my request? Most of the above code was borrowed from another post, however I cannot get things working in this context. All of this is running within Spring Boot 0.5.0M7.

Thanks.

2
javaspringspring-securitydigest-authenticationspring-java-config

2 Answers

0
votes

The request seems to be incomplete. The noonce parameter should contain a base64 encoded value according to the digest processing filter reference.

Central to Digest Authentication is a "nonce". This is a value the server generates. Spring Security’s nonce adopts the following format:

base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
expirationTime:   The date and time when the nonce expires, expressed in milliseconds
key:              A private key to prevent modification of the nonce token
0
votes

Spring and Patrick both describe a flow where a request is made, if nothing else to get a nonce from the server , the server provides this header

"WWW-Authenticate: Digest realm="realm", nonce="IVjZjc3Yg==", qop="auth"

in its 401 response saying "hey who are you" to the client. Using the nonce and other stuff a md5 hash is created and sent to the server. Server is now happy and processes the request. Look on the bright side you made it to step 1 and check the links for a better explaination