search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
**** Merged from MCS ****
[mono-project.git] / mcs / class / Mono.Http / Mono.Http.Modules / DigestAuthenticationModule.cs
blobfe55fe17768096c150086a2ef655f316e24c668e
1 //
2 // Digest Authentication implementation
3 //
4 // Authors:
5 // Greg Reinacker (gregr@rassoc.com)
6 // Sebastien Pouliot (spouliot@motus.com)
7 //
8 // Copyright 2002-2003 Greg Reinacker, Reinacker & Associates, Inc. All rights reserved.
9 // Portions (C) 2003 Motus Technologies Inc. (http://www.motus.com)
10 //
11 // Original source code available at
12 // http://www.rassoc.com/gregr/weblog/stories/2002/07/09/webServicesSecurityHttpDigestAuthenticationWithoutActiveDirectory.html
13 //
14
15 //
16 // Permission is hereby granted, free of charge, to any person obtaining
17 // a copy of this software and associated documentation files (the
18 // "Software"), to deal in the Software without restriction, including
19 // without limitation the rights to use, copy, modify, merge, publish,
20 // distribute, sublicense, and/or sell copies of the Software, and to
21 // permit persons to whom the Software is furnished to do so, subject to
22 // the following conditions:
23 //
24 // The above copyright notice and this permission notice shall be
25 // included in all copies or substantial portions of the Software.
26 //
27 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
28 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
29 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
30 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
31 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
32 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
33 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
34 //
35
36 using System;
37 using System.Collections.Specialized;
38 using System.Configuration;
39 using System.IO;
40 using System.Security.Cryptography;
41 using System.Security.Principal;
42 using System.Text;
43 using System.Web;
44 using System.Xml;
45
46 namespace Mono.Http.Modules
47 {
48 public class DigestAuthenticationModule : AuthenticationModule
49 {
50 // TODO: Digest.Nonce.Lifetime="0" Never expires
51 static int nonceLifetime = 60;
52 static char[] trim = {'='};
53
54 public DigestAuthenticationModule () : base ("Digest") {}
55
56 protected virtual bool IsValidNonce (string nonce)
57 {
58 DateTime expireTime;
59
60 // pad nonce on the right with '=' until length is a multiple of 4
61 int numPadChars = nonce.Length % 4;
62 if (numPadChars > 0)
63 numPadChars = 4 - numPadChars;
64 string newNonce = nonce.PadRight(nonce.Length + numPadChars, '=');
65
66 try {
67 byte[] decodedBytes = Convert.FromBase64String(newNonce);
68 string expireStr = new ASCIIEncoding().GetString(decodedBytes);
69 expireTime = DateTime.Parse(expireStr);
70 }
71 catch (FormatException e) {
72 return false;
73 }
74
75 return (DateTime.Now <= expireTime);
76 }
77
78 protected virtual bool GetUserByName (HttpApplication app, string username,
79 out string password, out string[] roles)
80 {
81 password = String.Empty;
82 roles = new string[0];
83
84 string userFileName = app.Request.MapPath (ConfigurationSettings.AppSettings ["Digest.Users"]);
85 if (userFileName == null || !File.Exists (userFileName))
86 return false;
87
88 XmlDocument userDoc = new XmlDocument ();
89 userDoc.Load (userFileName);
90
91 string xPath = String.Format ("/users/user[@name='{0}']", username);
92 XmlNode user = userDoc.SelectSingleNode (xPath);
93
94 if (user == null)
95 return false;
96
97 password = user.Attributes ["password"].Value;
98
99 XmlNodeList roleNodes = user.SelectNodes ("role");
100 roles = new string [roleNodes.Count];
101 int i = 0;
102 foreach (XmlNode xn in roleNodes)
103 roles [i++] = xn.Attributes ["name"].Value;
104
105 return true;
106 }
107
108 protected override bool AcceptCredentials (HttpApplication app, string authentication)
109 {
110 // digest
111 ListDictionary reqInfo = new ListDictionary ();
112
113 string[] elems = authentication.Split( new char[] {','});
114 foreach (string elem in elems) {
115 // form key="value"
116 string[] parts = elem.Split (new char[] {'='}, 2);
117 string key = parts [0].Trim (new char[] {' ','\"'});
118 string val = parts [1].Trim (new char[] {' ','\"'});
119 reqInfo.Add (key,val);
120 }
121
122 string username = (string) reqInfo ["username"];
123 string password;
124 string[] roles;
125
126 if (!GetUserByName (app, username, out password, out roles))
127 return false;
128
129 string realm = ConfigurationSettings.AppSettings ["Digest.Realm"];
130
131 // calculate the Digest hashes
132
133 // A1 = unq(username-value) ":" unq(realm-value) ":" passwd
134 string A1 = String.Format ("{0}:{1}:{2}", username, realm, password);
135
136 // H(A1) = MD5(A1)
137 string HA1 = GetMD5HashBinHex (A1);
138
139 // A2 = Method ":" digest-uri-value
140 string A2 = String.Format ("{0}:{1}", app.Request.HttpMethod, (string)reqInfo["uri"]);
141
142 // H(A2)
143 string HA2 = GetMD5HashBinHex(A2);
144
145 // KD(secret, data) = H(concat(secret, ":", data))
146 // if qop == auth:
147 // request-digest = <"> < KD ( H(A1), unq(nonce-value)
148 // ":" nc-value
149 // ":" unq(cnonce-value)
150 // ":" unq(qop-value)
151 // ":" H(A2)
152 // ) <">
153 // if qop is missing,
154 // request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
155
156 string unhashedDigest;
157 if (reqInfo["qop"] != null) {
158 unhashedDigest = String.Format("{0}:{1}:{2}:{3}:{4}:{5}",
159 HA1,
160 (string)reqInfo["nonce"],
161 (string)reqInfo["nc"],
162 (string)reqInfo["cnonce"],
163 (string)reqInfo["qop"],
164 HA2);
165 }
166 else {
167 unhashedDigest = String.Format("{0}:{1}:{2}",
168 HA1,
169 (string)reqInfo["nonce"],
170 HA2);
171 }
172
173 string hashedDigest = GetMD5HashBinHex (unhashedDigest);
174
175 bool isNonceStale = !IsValidNonce((string)reqInfo["nonce"]);
176 app.Context.Items["staleNonce"] = isNonceStale;
177
178 bool result = (((string)reqInfo["response"] == hashedDigest) && (!isNonceStale));
179 if (result) {
180 IIdentity id = new GenericIdentity (username, AuthenticationMethod);
181 app.Context.User = new GenericPrincipal (id, roles);
182 }
183 return result;
184 }
185
186 #region Event Handlers
187
188 public override void OnEndRequest(object source, EventArgs eventArgs)
189 {
190 // We add the WWW-Authenticate header here, so if an authorization
191 // fails elsewhere than in this module, we can still request authentication
192 // from the client.
193
194 HttpApplication app = (HttpApplication) source;
195 if (app.Response.StatusCode != 401 || !AuthenticationRequired)
196 return;
197
198 string realm = ConfigurationSettings.AppSettings ["Digest.Realm"];
199 string nonce = GetCurrentNonce ();
200 bool isNonceStale = false;
201 object staleObj = app.Context.Items ["staleNonce"];
202 if (staleObj != null)
203 isNonceStale = (bool)staleObj;
204
205 StringBuilder challenge = new StringBuilder ("Digest realm=\"");
206 challenge.Append(realm);
207 challenge.Append("\"");
208 challenge.Append(", nonce=\"");
209 challenge.Append(nonce);
210 challenge.Append("\"");
211 challenge.Append(", opaque=\"0000000000000000\"");
212 challenge.Append(", stale=");
213 challenge.Append(isNonceStale ? "true" : "false");
214 challenge.Append(", algorithm=MD5");
215 challenge.Append(", qop=\"auth\"");
216
217 app.Response.AppendHeader("WWW-Authenticate", challenge.ToString());
218 app.Response.StatusCode = 401;
219 }
220
221 #endregion
222
223 private string GetMD5HashBinHex (string toBeHashed)
224 {
225 MD5 hash = MD5.Create ();
226 byte[] result = hash.ComputeHash (Encoding.ASCII.GetBytes (toBeHashed));
227
228 StringBuilder sb = new StringBuilder ();
229 foreach (byte b in result)
230 sb.Append (b.ToString ("x2"));
231 return sb.ToString ();
232 }
233
234 protected virtual string GetCurrentNonce ()
235 {
236 DateTime nonceTime = DateTime.Now.AddSeconds (nonceLifetime);
237 byte[] expireBytes = Encoding.ASCII.GetBytes (nonceTime.ToString ("G"));
238 string nonce = Convert.ToBase64String (expireBytes);
239 // nonce can't end in '=', so trim them from the end
240 nonce = nonce.TrimEnd (trim);
241 return nonce;
242 }
243 }
244 }
Mirror of the official Mono project git repository