Search in sources :

Example 6 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthentication2069TestCase method testDigestSuccess.

/**
     * Test for a successful authentication.
     */
@Test
public void testDigestSuccess() throws Exception {
    TestHttpClient client = new TestHttpClient();
    HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    assertEquals(1, values.length);
    String value = values[0].getValue();
    assertTrue(value.startsWith(DIGEST.toString()));
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    assertFalse(parsedHeader.containsKey(DigestWWWAuthenticateToken.MESSAGE_QOP));
    String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
    String response = createResponse("userOne", REALM_NAME, "passwordOne", "GET", "/", nonce);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    StringBuilder sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"userOne\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
    values = result.getHeaders("ProcessedBy");
    assertEquals(1, values.length);
    assertEquals("ResponseHandler", values[0].getValue());
    values = result.getHeaders("Authentication-Info");
    assertEquals(1, values.length);
    Map<AuthenticationInfoToken, String> parsedAuthInfo = AuthenticationInfoToken.parseHeader(values[0].getValue());
    nonce = parsedAuthInfo.get(AuthenticationInfoToken.NEXT_NONCE);
    response = createResponse("userOne", REALM_NAME, "passwordOne", "GET", "/", nonce);
    assertSingleNotificationType(EventType.AUTHENTICATED);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"userOne\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
    values = result.getHeaders("ProcessedBy");
    assertEquals(1, values.length);
    assertEquals("ResponseHandler", values[0].getValue());
    assertSingleNotificationType(EventType.AUTHENTICATED);
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) AuthenticationInfoToken(io.undertow.security.impl.AuthenticationInfoToken) TestHttpClient(io.undertow.testutils.TestHttpClient) Test(org.junit.Test)

Example 7 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthenticationAuthTestCase method _testDigestSuccess.

static void _testDigestSuccess() throws Exception {
    TestHttpClient client = new TestHttpClient();
    HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    String value = getAuthHeader(DIGEST, values);
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));
    String clientNonce = createNonce();
    int nonceCount = 1;
    String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
    String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
    assertNotNull(opaque);
    // Send 5 requests with an incrementing nonce count on each call.
    for (int i = 0; i < 5; i++) {
        client = new TestHttpClient();
        get = new HttpGet(DefaultServer.getDefaultServerURL());
        int thisNonceCount = nonceCount++;
        String authorization = createAuthorizationLine("userOne", "passwordOne", "GET", "/", nonce, thisNonceCount, clientNonce, opaque);
        get.addHeader(AUTHORIZATION.toString(), authorization);
        result = client.execute(get);
        assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
        values = result.getHeaders("ProcessedBy");
        assertEquals(1, values.length);
        assertEquals("ResponseHandler", values[0].getValue());
        assertSingleNotificationType(EventType.AUTHENTICATED);
        values = result.getHeaders("Authentication-Info");
        assertEquals(1, values.length);
        Map<AuthenticationInfoToken, String> parsedAuthInfo = AuthenticationInfoToken.parseHeader(values[0].getValue());
        assertEquals("Didn't expect a new nonce.", nonce, parsedAuthInfo.get(AuthenticationInfoToken.NEXT_NONCE));
        assertEquals(DigestQop.AUTH.getToken(), parsedAuthInfo.get(AuthenticationInfoToken.MESSAGE_QOP));
        String nonceCountString = toHex(thisNonceCount);
        assertEquals(createRspAuth("userOne", REALM_NAME, "passwordOne", "/", nonce, nonceCountString, clientNonce), parsedAuthInfo.get(AuthenticationInfoToken.RESPONSE_AUTH));
        assertEquals(clientNonce, parsedAuthInfo.get(AuthenticationInfoToken.CNONCE));
        assertEquals(nonceCountString, parsedAuthInfo.get(AuthenticationInfoToken.NONCE_COUNT));
    }
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) AuthenticationInfoToken(io.undertow.security.impl.AuthenticationInfoToken) TestHttpClient(io.undertow.testutils.TestHttpClient)

Example 8 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthTestCase method testCall.

public void testCall(final String path, final String expectedResponse) throws Exception {
    TestHttpClient client = new TestHttpClient();
    String url = DefaultServer.getDefaultServerURL() + "/servletContext/secured/" + path;
    HttpGet get = new HttpGet(url);
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    assertEquals(1, values.length);
    String value = values[0].getValue();
    assertTrue(value.startsWith(DIGEST.toString()));
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    assertTrue(parsedHeader.containsKey(DigestWWWAuthenticateToken.MESSAGE_QOP));
    String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
    String clientResponse = createResponse("user1", REALM_NAME, "password1", "GET", "/", nonce);
    client = new TestHttpClient();
    get = new HttpGet(url);
    StringBuilder sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"user1\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(clientResponse).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
    final String response = HttpClientUtils.readResponse(result);
    assertEquals(expectedResponse, response);
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) TestHttpClient(io.undertow.testutils.TestHttpClient)

Example 9 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthenticationAuthTestCase method _testBadNonce.

static void _testBadNonce() throws Exception {
    TestHttpClient client = new TestHttpClient();
    HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    String value = getAuthHeader(DIGEST, values);
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));
    String clientNonce = createNonce();
    int nonceCount = 1;
    String nonce = "AU1aCIiy48ENMTM1MTE3OTUxMDU2OLrHnBlV2GBzzguCWOPET+0=";
    String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
    assertNotNull(opaque);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    int thisNonceCount = nonceCount++;
    String authorization = createAuthorizationLine("userOne", "badPassword", "GET", "/", nonce, thisNonceCount, clientNonce, opaque);
    get.addHeader(AUTHORIZATION.toString(), authorization);
    result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    assertSingleNotificationType(EventType.FAILED_AUTHENTICATION);
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) TestHttpClient(io.undertow.testutils.TestHttpClient)

Example 10 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthentication2069TestCase method testDifferentNonce.

/**
     * Test that for a valid username and password if an invalid nonce is used the request should be rejected with the nonce
     * marked as stale, using the replacement nonce should then work.
     */
@Test
public void testDifferentNonce() throws Exception {
    TestHttpClient client = new TestHttpClient();
    HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    assertEquals(1, values.length);
    String value = values[0].getValue();
    assertTrue(value.startsWith(DIGEST.toString()));
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    String nonce = "AU1aCIiy48ENMTM1MTE3OTUxMDU2OLrHnBlV2GBzzguCWOPET+0=";
    String response = createResponse("userOne", REALM_NAME, "passwordOne", "GET", "/", nonce);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    StringBuilder sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"userOne\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    values = result.getHeaders(WWW_AUTHENTICATE.toString());
    assertEquals(1, values.length);
    value = values[0].getValue();
    assertTrue(value.startsWith(DIGEST.toString()));
    parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    assertEquals("true", parsedHeader.get(DigestWWWAuthenticateToken.STALE));
    nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
    response = createResponse("userOne", REALM_NAME, "passwordOne", "GET", "/", nonce);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"userOne\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
    values = result.getHeaders("ProcessedBy");
    assertEquals(1, values.length);
    assertEquals("ResponseHandler", values[0].getValue());
    // The additional round trip for the bad nonce should not trigger a security notification.
    assertSingleNotificationType(EventType.AUTHENTICATED);
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) TestHttpClient(io.undertow.testutils.TestHttpClient) Test(org.junit.Test)

Aggregations

DigestWWWAuthenticateToken (io.undertow.security.impl.DigestWWWAuthenticateToken)11 TestHttpClient (io.undertow.testutils.TestHttpClient)11 Header (org.apache.http.Header)11 HttpResponse (org.apache.http.HttpResponse)11 HttpGet (org.apache.http.client.methods.HttpGet)11 Test (org.junit.Test)5 AuthenticationInfoToken (io.undertow.security.impl.AuthenticationInfoToken)3