Package io.undertow.security.impl
Class SimpleNonceManager
java.lang.Object
io.undertow.security.impl.SimpleNonceManager
- All Implemented Interfaces:
NonceManager
,SessionNonceManager
A default
NonceManager
implementation to provide reasonable single host management of nonces.
This NonceManager
manages nonces in two groups, the first is the group that are allocated to new requests, this group
is a problem as we want to be able to limit how many we distribute so we don't have a DOS storing too many but we also don't
a high number of requests to to push the other valid nonces out faster than they can be used.
The second group is the set of nonces actively in use - these should be maintained as we can also maintain the nonce count
and even track the next nonce once invalid.
Maybe group one should be a timestamp and private key hashed together, if used with a nonce count they move to be tracked to
ensure the same count is not used again - if successfully used without a nonce count add to a blacklist until expiration? A
nonce used without a nonce count will essentially be single use with each request getting a new nonce.- Author:
- Darran Lofthouse
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
associateHash
(String nonce, byte[] hash) Associate the supplied hash with the nonce specified.byte[]
lookupHash
(String nonce) Retrieve the existing hash associated with the nonce specified.nextNonce
(String lastNonce, HttpServerExchange exchange) Select the next nonce to be sent from the server taking into account the last valid nonce.boolean
validateNonce
(String nonce, int nonceCount, HttpServerExchange exchange) Validate that a nonce can be used.
-
Constructor Details
-
SimpleNonceManager
public SimpleNonceManager() -
SimpleNonceManager
-
-
Method Details
-
nextNonce
Description copied from interface:NonceManager
Select the next nonce to be sent from the server taking into account the last valid nonce. It is both possible and likely that the nonce last used by the client will still be valid, in that case the same nonce will be returned.- Specified by:
nextNonce
in interfaceNonceManager
- Parameters:
lastNonce
- - The last valid nonce received from the client or null if we don't already have a nonce.- Returns:
- The next nonce to be sent in a challenge to the client.
- See Also:
-
validateNonce
Description copied from interface:NonceManager
Validate that a nonce can be used. If the nonce can not be used but the related digest was correct then a new nonce should be returned to the client indicating that the nonce was stale. For implementations of this interface this method is not expected by be idempotent, i.e. once a nonce is validated with a specific nonceCount it is not expected that this method will return true again if the same combination is presented. This method is expected to ONLY be called if the users credentials are valid as a storage overhead could be incurred this overhead must not be accessible to unauthenticated clients.- Specified by:
validateNonce
in interfaceNonceManager
- Parameters:
nonce
- - The nonce received from the client.nonceCount
- - The nonce count from the client or -1 of none specified.- Returns:
- true if the nonce can be used otherwise return false.
- See Also:
-
associateHash
Description copied from interface:SessionNonceManager
Associate the supplied hash with the nonce specified.- Specified by:
associateHash
in interfaceSessionNonceManager
- Parameters:
nonce
- - The nonce the hash is to be associated with.hash
- - The hash to associate.
-
lookupHash
Description copied from interface:SessionNonceManager
Retrieve the existing hash associated with the nonce specified. If there is no association then null should be returned.- Specified by:
lookupHash
in interfaceSessionNonceManager
- Parameters:
nonce
- - The nonce the hash is required for.- Returns:
- The associated hash or null if there is no association.
-