• Home
• io.helidon
• helidon-docs
• 4.0.11
• source code
• http-digest-auth.adoc

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

includes.security.providers.http-digest-auth.adoc Maven / Gradle / Ivy

///////////////////////////////////////////////////////////////////////////////

    Copyright (c) 2018, 2024 Oracle and/or its affiliates.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

///////////////////////////////////////////////////////////////////////////////

ifndef::rootdir[:rootdir: {docdir}/../../..]

=== HTTP Digest Authentication Provider
:description: Helidon Security HTTP Digest Provider
:keywords: helidon, security, digest
:feature-name: HTTP Digest Authentication Security Provider

HTTP Digest authentication support

==== Setup

[source,xml]
.Maven dependency
----

    io.helidon.security.providers
    helidon-security-providers-http-auth

----

==== Overview

include::{rootdir}/config/io_helidon_security_providers_httpauth_HttpDigestAuthProvider.adoc[leveloffset=+2,tag=config]

==== Example code

[source,yaml]
.Configuration example
----
security:
  providers:
  - http-digest-auth:
      realm: "helidon"
      server-secret: "${CLEAR=service-wide-secret-not-known-outside}"
      users:
      - login: "john"
        password: "${CLEAR=changeit}"
        roles: ["admin"]
      - login: "jack"
        password: "changeit"
        roles: ["user", "admin"]
----

==== How does it work?
See https://tools.ietf.org/html/rfc7616[].

*Authentication of request*

When a request is received without the `Authorization: digest ....` header, a challenge is returned to provide such
authentication using `WWW-Authenticate` header.

When a request is received with the `Authorization: digest ....` header, the request is validated
against configured users (and users obtained from custom service if any provided).

Subject is created based on the username and roles provided by the user store.

*Custom user store*

Java service loader service `io.helidon.security.providers.httpauth.spi.UserStoreService` can be implemented to provide
 users to the provider, such as when validated against an internal database or LDAP server.
The user store is defined so you never need the clear text password of the user.

_Note on security of HTTP Digest Authentication_

These authentication schemes
should be _obsolete_, though they provide a very easy way to test a protected resource.