Spring Security with Digest authentication and encoded password

Updated: at 12:48 AM

The title says it all. This post will show you how to configure Spring Security with Digest authentication and encoded password. But first, here is the Spring Security documentation about digest authentication and encoded password:

The configured UserDetailsService is needed because DigestAuthenticationFilter must have direct access to the clear text password of a user. Digest Authentication will NOT work if you are using encoded passwords in your DAO. The DAO collaborator, along with the UserCache, are typically shared directly with a DaoAuthenticationProvider. The authenticationEntryPoint property must be DigestAuthenticationEntryPoint, so that DigestAuthenticationFilter can obtain the correct realmName and key for digest calculations.

It’s not all true. Let’s take a look at the source code of DigestAuthenticationFilter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    // omit code for simplicity

    // Compute the expected response-digest (will be in hex form)
    String serverDigestMd5;

    // Don't catch IllegalArgumentException (already checked validity)
    serverDigestMd5 = DigestAuthUtils.generateDigest(passwordAlreadyEncoded, username, realm, user.getPassword(),
                    request.getMethod(), uri, qop, nonce, nc, cnonce);
    // omit code for simplicty
}

Digging a little more into the method generateDigest of the class DigestAuthUtils, we have:

static String generateDigest(boolean passwordAlreadyEncoded, String username, String realm, String password,
                                        String httpMethod, String uri, String qop, String nonce, String nc, String cnonce)
            throws IllegalArgumentException {
    String a1Md5 = null;
    String a2 = httpMethod + ":" + uri;
    String a2Md5 = md5Hex(a2);

    if (passwordAlreadyEncoded) {
        a1Md5 = password;
    } else {
        a1Md5 = DigestAuthUtils.encodePasswordInA1Format(username, realm, password);
    }

   // The rest of the code

A little more into encodePasswordInA1Format of DigestAuthUtils:

static String encodePasswordInA1Format(String username, String realm, String password) {
    String a1 = username + ":" + realm + ":" + password;
    String a1Md5 = md5Hex(a1);

    return a1Md5;
}

From here, if we set the property passwordAlreadyEncoded of DigestAuthenticationFilter to true and create a suitable password encoder and salt source, we can make Spring Security digest authentication work with our tailored password encoder, salt source. Let’s create them:

package com.mycompany.myproject;

import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.dao.SaltSource;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;

public class DigestAuthenticationAwareSaltSource implements SaltSource, InitializingBean {

    private String digestRealm;

    @Override
    public void afterPropertiesSet() throws Exception {
        Assert.hasText(digestRealm, "A Digest Realm must be set");
    }

    @Override
    public Object getSalt(UserDetails user) {
        return String.format("%s:%s:", user.getUsername(), digestRealm);
    }

    public void setDigestRealm(String digestRealm) {
        this.digestRealm = digestRealm;
    }
}
package com.mycompany.myproject;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import org.springframework.dao.DataAccessException;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.core.codec.Hex;

public class DigestAuthenticationAwarePasswordEncoder implements PasswordEncoder {

    @Override
    public String encodePassword(String rawPass, Object salt) throws DataAccessException {
        String a1 = salt + rawPass;
        return md5Hex(a1);
    }

    @Override
    public boolean isPasswordValid(String encPass, String rawPass, Object salt) throws DataAccessException {
        String calculatedPass = md5Hex(salt + rawPass);
        return calculatedPass.equals(encPass);
    }

    private String md5Hex(String data) {
        MessageDigest digest;
        try {
            digest = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("No MD5 algorithm available!");
        }

        return new String(Hex.encode(digest.digest(data.getBytes())));
    }
}

And now you can do Digest Authentication with encoded password in Spring Security!