Jersey Security Digest vs Basic Auth

StackOverflow https://stackoverflow.com/questions/22117512

Question

Could anyone explain to me why basic auth is working and the digest isn't working or not showing up in the http headers on the server anyway.

public String login(UserDTO user)
{
        ClientConfig clientConfig = new DefaultClientConfig();
        clientConfig.getFeatures().put(JSONConfiguration.FEATURE_POJO_MAPPING, Boolean.TRUE);
        Client client = Client.create(clientConfig);
        //    client.addFilter(new HTTPBasicAuthFilter(user.getUsername(), user.getPassword()));
        client.addFilter(new HTTPDigestAuthFilter(user.getUsername(), user.getPassword()));
        ClientResponse response = client.resource(url + "user/login").accept("application*json").type("application/json").get(ClientResponse.class);

        System.out.println(response.toString());

        return null;
}

If I use:

client.addFilter(new HTTPBasicAuthFilter(user.getUsername(), user.getPassword()));

I get an authorization header on the server:

USER LOGIN REQUEST
request:uri: /StambomenWebAPI/rest/user/login
method: GET
QueryString: null
Parameters:
Headers:
Name: accept    Value: application*json
Name: content-type  Value: application/json
Name: authorization Value: Basic QXhsOkxvbA==
Name: user-agent    Value: Java/1.7.0_51
Name: host  Value: localhost:8084
Name: connection    Value: keep-alive
USER AND PASS[XXXXX, XXXXX]

But when I use 

 client.addFilter(new HTTPDigestAuthFilter(user.getUsername(), user.getPassword()));

I do not get an authorization header field ... :s ?

Using jersey with tomcat v7

My regards and thx in advance for any help

Was it helpful?

Solution

You are not getting an authorization header field because of the digest authentication workflow. See here for more details, but basically:

  1. Client makes a request with no Authorization header

  2. Server responds with a 401 status and a WWW-Authenticate header that looks something like:

    Digest realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"

  3. Client repeats the request with the correct Authorization header now that it has digest info from server

From the client side, this is all handled by the Jersey HTTPDigestAuthFilter. So, the filter makes the request without an Authorization header first, and your server should return a 401 status with a WWW-Authenticate header that has the necessary Digest info. Then the filter repeats the request with the correct Authorization header, and your server should authenticate and return the content.

After this initial handshake, the HTTPDigestAuthFilter remembers the necessary digest info, so for all requests after the very first request, the Authorization header will be included.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top