(window.webpackJsonp=window.webpackJsonp||[]).push([[236],{662:function(t,e,n){"use strict";n.r(e);var i=n(56),r=Object(i.a)({},(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[n("h1",{attrs:{id:"digest-authentication"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#digest-authentication"}},[t._v("#")]),t._v(" Digest Authentication")]),t._v(" "),n("p",[t._v("This section provides details on how Spring Security provides support for "),n("a",{attrs:{href:"https://tools.ietf.org/html/rfc2617",target:"_blank",rel:"noopener noreferrer"}},[t._v("Digest Authentication"),n("OutboundLink")],1),t._v(" which is provided "),n("code",[t._v("DigestAuthenticationFilter")]),t._v(".")]),t._v(" "),n("table",[n("thead",[n("tr",[n("th"),t._v(" "),n("th",[t._v("You should not use Digest Authentication in modern applications because it is not considered secure."),n("br"),t._v("The most obvious problem is that you must store your passwords in plaintext, encrypted, or an MD5 format."),n("br"),t._v("All of these storage formats are considered insecure."),n("br"),t._v("Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication.")])])]),t._v(" "),n("tbody")]),t._v(" "),n("p",[t._v("Digest Authentication attempts to solve many of the weaknesses of "),n("RouterLink",{attrs:{to:"/en/spring-security/basic.html#servlet-authentication-basic"}},[t._v("Basic authentication")]),t._v(", specifically by ensuring credentials are never sent in clear text across the wire.\nMany "),n("a",{attrs:{href:"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility",target:"_blank",rel:"noopener noreferrer"}},[t._v("browsers support Digest Authentication"),n("OutboundLink")],1),t._v(".")],1),t._v(" "),n("p",[t._v("The standard governing HTTP Digest Authentication is defined by "),n("a",{attrs:{href:"https://tools.ietf.org/html/rfc2617",target:"_blank",rel:"noopener noreferrer"}},[t._v("RFC 2617"),n("OutboundLink")],1),t._v(", which updates an earlier version of the Digest Authentication standard prescribed by "),n("a",{attrs:{href:"https://tools.ietf.org/html/rfc2069",target:"_blank",rel:"noopener noreferrer"}},[t._v("RFC 2069"),n("OutboundLink")],1),t._v(".\nMost user agents implement RFC 2617.\nSpring Security’s Digest Authentication support is compatible with the “auth” quality of protection ("),n("code",[t._v("qop")]),t._v(") prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.\nDigest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (i.e. no TLS/HTTPS) and wish to maximise security of the authentication process.\nHowever, everyone should use "),n("RouterLink",{attrs:{to:"/features/exploits/http.html#http"}},[t._v("HTTPS")]),t._v(".")],1),t._v(" "),n("p",[t._v('Central to Digest Authentication is a "nonce".\nThis is a value the server generates.\nSpring Security’s nonce adopts the following format:')]),t._v(" "),n("p",[t._v("Example 1. Digest Syntax")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v('base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))\nexpirationTime:   The date and time when the nonce expires, expressed in milliseconds\nkey:              A private key to prevent modification of the nonce token\n')])])]),n("p",[t._v("You will need to ensure you "),n("RouterLink",{attrs:{to:"/features/authentication/password-storage.html#authentication-password-storage-configuration"}},[t._v("configure")]),t._v(" insecure plain text "),n("RouterLink",{attrs:{to:"/features/authentication/password-storage.html#authentication-password-storage"}},[t._v("Password Storage")]),t._v(" using "),n("code",[t._v("NoOpPasswordEncoder")]),t._v(".\nThe following provides an example of configuring Digest Authentication with Java Configuration:")],1),t._v(" "),n("p",[t._v("Example 2. Digest Authentication")]),t._v(" "),n("p",[t._v("Java")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v('@Autowired\nUserDetailsService userDetailsService;\n\nDigestAuthenticationEntryPoint entryPoint() {\n\tDigestAuthenticationEntryPoint result = new DigestAuthenticationEntryPoint();\n\tresult.setRealmName("My App Relam");\n\tresult.setKey("3028472b-da34-4501-bfd8-a355c42bdf92");\n}\n\nDigestAuthenticationFilter digestAuthenticationFilter() {\n\tDigestAuthenticationFilter result = new DigestAuthenticationFilter();\n\tresult.setUserDetailsService(userDetailsService);\n\tresult.setAuthenticationEntryPoint(entryPoint());\n}\n\nprotected void configure(HttpSecurity http) throws Exception {\n\thttp\n\t\t// ...\n\t\t.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))\n\t\t.addFilterBefore(digestFilter());\n}\n')])])]),n("p",[t._v("XML")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v('<b:bean id="digestFilter"\n        class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"\n    p:userDetailsService-ref="jdbcDaoImpl"\n    p:authenticationEntryPoint-ref="digestEntryPoint"\n/>\n\n<b:bean id="digestEntryPoint"\n        class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"\n    p:realmName="My App Realm"\n\tp:key="3028472b-da34-4501-bfd8-a355c42bdf92"\n/>\n\n<http>\n\t\x3c!-- ... --\x3e\n\t<custom-filter ref="userFilter" position="DIGEST_AUTH_FILTER"/>\n</http>\n')])])]),n("p",[n("RouterLink",{attrs:{to:"/en/spring-security/basic.html"}},[t._v("Basic")]),n("RouterLink",{attrs:{to:"/en/spring-security/storage.html"}},[t._v("Password Storage")])],1)])}),[],!1,null,null,null);e.default=r.exports}}]);