Skip to content

Spring 中文文档社区
Spring 中文文档社区

syhp1982 / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 0
Fork 0
Spring 中文文档社区
Spring 中文文档社区

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
servlet-authentication-passwords-digest.md 4.2 KB
Newer Older
茶陵後's avatar
#18 [skip ci] spring-security  
茶陵後 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 
# Digest Authentication

This section provides details on how Spring Security provides support for [Digest Authentication](https://tools.ietf.org/html/rfc2617) which is provided `DigestAuthenticationFilter`.

|   |You should not use Digest Authentication in modern applications because it is not considered secure.<br/>The most obvious problem is that you must store your passwords in plaintext, encrypted, or an MD5 format.<br/>All of these storage formats are considered insecure.<br/>Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication.|
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

Digest Authentication attempts to solve many of the weaknesses of [Basic authentication](basic.html#servlet-authentication-basic), specifically by ensuring credentials are never sent in clear text across the wire.
Many [browsers support Digest Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility).

The standard governing HTTP Digest Authentication is defined by [RFC 2617](https://tools.ietf.org/html/rfc2617), which updates an earlier version of the Digest Authentication standard prescribed by [RFC 2069](https://tools.ietf.org/html/rfc2069).
Most user agents implement RFC 2617.
Spring Security’s Digest Authentication support is compatible with the “auth” quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (i.e. no TLS/HTTPS) and wish to maximise security of the authentication process.
However, everyone should use [HTTPS](../../../features/exploits/http.html#http).

Central to Digest Authentication is a "nonce".
This is a value the server generates.
Spring Security’s nonce adopts the following format:

Example 1. Digest Syntax

```
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
expirationTime:   The date and time when the nonce expires, expressed in milliseconds
key:              A private key to prevent modification of the nonce token
```

You will need to ensure you [configure](../../../features/authentication/password-storage.html#authentication-password-storage-configuration) insecure plain text [Password Storage](../../../features/authentication/password-storage.html#authentication-password-storage) using `NoOpPasswordEncoder`.
The following provides an example of configuring Digest Authentication with Java Configuration:

Example 2. Digest Authentication

Java

```
@Autowired
UserDetailsService userDetailsService;

DigestAuthenticationEntryPoint entryPoint() {
	DigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();
	result.setRealmName("My App Relam");
	result.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");
}

DigestAuthenticationFilter digestAuthenticationFilter() {
	DigestAuthenticationFilter result = new DigestAuthenticationFilter();
	result.setUserDetailsService(userDetailsService);
	result.setAuthenticationEntryPoint(entryPoint());
}

protected void configure(HttpSecurity http) throws Exception {
	http
		// ...
		.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
		.addFilterBefore(digestFilter());
}
```

XML

```
<b:bean id="digestFilter"
        class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"
    p:userDetailsService-ref="jdbcDaoImpl"
    p:authenticationEntryPoint-ref="digestEntryPoint"
/>

<b:bean id="digestEntryPoint"
        class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"
    p:realmName="My App Realm"
	p:key="3028472b-da34-4501-bfd8-a355c42bdf92"
/>

<http>
	<!-- ... -->
	<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>
</http>
```

[Basic](basic.html)[Password Storage](storage.html)