Spring Security - How to use Digest Authentication?

We will start with What Digest Authentication is and then do project setup and run the example using postman.

1. What is Digest Authentication?

Let's start building simple Spring Boot application with Digest Authentication using Spring Security.

2. Project setup

We will use spring-boot-starter-security as maven dependency for Spring Security.

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>

3. Digest Authentication related Java Configuration

@Bean
DigestAuthenticationFilter digestFilter(DigestAuthenticationEntryPoint digestAuthenticationEntryPoint, UserCache digestUserCache, UserDetailsService userDetailsService) {
DigestAuthenticationFilter filter = new DigestAuthenticationFilter();
filter.setAuthenticationEntryPoint(digestAuthenticationEntryPoint);
filter.setUserDetailsService(userDetailsService);
filter.setUserCache(digestUserCache);
return filter;
}

@Bean
UserCache digestUserCache() throws Exception {
return new SpringCacheBasedUserCache(new ConcurrentMapCache("digestUserCache"));
}

@Bean
DigestAuthenticationEntryPoint digestAuthenticationEntry() {
DigestAuthenticationEntryPoint digestAuthenticationEntry = new DigestAuthenticationEntryPoint();
digestAuthenticationEntry.setRealmName("BLOG.GAURAV.CC");
digestAuthenticationEntry.setKey("Sup3rSecret");
digestAuthenticationEntry.setNonceValiditySeconds(60);
return digestAuthenticationEntry;
}

You need to register DigestAuthenticationFilter in your spring context. DigestAuthenticationFilter requires DigestAuthenticationEntryPoint and UserDetailsService to authenticate user.

The purpose of the DigestAuthenticationEntryPoint is to send the valid nonce back to the user if authentication fails or to enforce the authentication.

The purpose of UserDetailsService is to provide UserDetails like password and list of role for that user. UserDetailsService is an interface. I have implemented it with DummyUserDetailsService which loads every passed userName's details. But, you can restrict it to some few user or make it Database backed. One thing to remember is the password passed need to be in plain text format here. You can also use InMemoryUserDetailsManager for storing handful of user configured either through Java configuration or with xml based configuration which could access your application.

In the example, I also have used the caching for UserDetails. I have used SpringBasedUserCache and underlying cache is ConcurrentMapCache. You can use any other caching solution of your choice.

3. Running the example

You can download the example code from Github. I will be using Postman to run the example. Here are the few steps you need to follow.

  1. Open postman and enter url (localhost:8082).
  2. Click on Authorization tab below the url and select Digest Auth from Type dropdown.
  3. Enter username(gaurav), realm(BLOG.GAURAV.CC), password(pwd), algorithm(MD5) and leave nonce as empty. Click Send button.
  4. You will get 401 unauthorized as response like below.

Digest Authenication nonce response

  1. If you see the Headers from the response, you will see WWW-Authenticate header. Copy the value of nonce field and enter in the nonce textfield.
  2. Click on Send Button. Voila!!! You got the valid response.

Digest Authenication nonce response

This is how we implement Digest Authentication with Spring Security. I hope you find this post informative and helpful.



Tags: Spring Framework, Spring Security, Spring Boot, Spring Security Digest Authentication example, Digest Authentication Example

← Back home