AuthenticationSecretTokenInterceptor
This interceptor looks for a secret token on an incoming XDI message, and invokes an instance of SecretTokenAuthenticator to authenticate the message.
- secretTokenAuthenticator: An instance of SecretTokenAuthenticator that can authenticate an XDI message based on the secret token it contains.
- xdi2.messaging.target.interceptor.impl.authentication.secrettoken.AuthenticationSecretTokenInterceptor
- xdi2.messaging.target.interceptor.impl.authentication.secrettoken.SecretTokenAuthenticator
- xdi2.messaging.target.interceptor.impl.authentication.secrettoken.StaticSecretTokenAuthenticator
- xdi2.messaging.target.interceptor.impl.authentication.secrettoken.GraphSecretTokenAuthenticator
This SecretTokenAuthenticator can authenticate an XDI message using a statically configured list of sender addresses and secret tokens in digest form.
- globalSalt: The global salt to use for the digest algorithm.
- localSaltAndDigestSecretTokens: The statically configured list of sender addresses and secret tokens in digest form.
<bean class="xdi2.messaging.target.interceptor.impl.authentication.secrettoken.AuthenticationSecretTokenInterceptor">
<property name="secretTokenAuthenticator">
<bean class="xdi2.messaging.target.interceptor.impl.authentication.secrettoken.StaticSecretTokenAuthenticator">
<property name="globalSalt" value="00000000-0000-0000-0000-000000000000" />
<property name="localSaltAndDigestSecretTokens">
<util:map>
<entry key="[=]!:uuid:bdf301fb-e70c-3958-bdf3-01fbe70c3958" value="xdi2-digest:00000000-0000-0000-0000-000000000000:a7292f2347aef29a9e4c05d35764019106143a339b6e9bb39faee53103e1d6f55e49213d77d16a326a91bab0fc6885779d04e2e4470125720860cf54f872b3bb" />
</util:map>
</property>
</bean>
</property>
</bean>
This SecretTokenAuthenticator can authenticate an XDI message using a "secret token graph", which contains sender addresses and secret tokens in digest form. This "secret token graph" may be the same as the "registry graph" of the RegistryGraphMessagingTargetFactory.
- globalSalt: The global salt to use for the digest algorithm.
- secretTokenGraph: The secret token graph.
<bean class="xdi2.messaging.target.interceptor.impl.authentication.secrettoken.AuthenticationSecretTokenInterceptor">
<property name="secretTokenAuthenticator">
<bean class="xdi2.messaging.target.interceptor.impl.authentication.secrettoken.GraphSecretTokenAuthenticator">
<property name="globalSalt" value="00000000-0000-0000-0000-000000000000" />
<property name="secretTokenGraph" ref="registryGraph" />
</bean>
</property>
</bean>
([=]!:uuid:bdf301fb-e70c-3958-bdf3-01fbe70c3958!1111)$digest$secret<$token>/&/"xdi2-digest:00000000-0000-0000-0000-000000000000:5d5f2cb0e49676fffc02c74e0006eee9f0f2cdecf328456dcaa8e4e3fb5de54fd825bab811dc53c69a2e5bffac0fae0837eb5bd3ac4f165b534a26630fa1cb5f"
([=]!:uuid:bdf301fb-e70c-3958-bdf3-01fbe70c3958!2222)$digest$secret<$token>/&/"xdi2-digest:00000000-0000-0000-0000-000000000000:08bde25cc3e4e77baa80ef4c2e16db1be63005f468baadeb4524ebef5c106d557f2f9c1cb978ff6b4395e7aa3d8faed88ca22881b283256aca3666d9886892c8"
($do$if/$true){$msg}<$secret><$token><$valid>/&/true
Both the StaticSecretTokenAuthenticator and the GraphSecretTokenAuthenticator store secret tokens in a digest form, and they use a "global salt" as well as individual "local salts" in the digest algorithm. The "global salt" is part of the SecretTokenAuthenticator configuration, and the "local salts" are stored alongside the digests. All salts are UUIDs. The digest algorithm is as follows:
digest_secret_token = SHA-512 ( global_salt + ":" + local_salt + ":" + SHA-512 ( global_salt + ":" + base64 ( secret_token ) ) )
The StaticSecretTokenAuthenticator is primarily meant for simple use cases. The GraphSecretTokenAuthenticator is more secure, since it stores the "global salt" separately from the "local salts".
This work is licensed under a Creative Commons Attribution 4.0 International License.
