Processes a HTTP request's Digest authorization headers, putting the result into the
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to
RFC 2617 (which superseded RFC 2069,
although this filter support clients that implement either RFC 2617 or RFC 2069).
This filter can be used to provide Digest authentication services to both remoting
protocol clients (such as Hessian and SOAP) as well as standard user agents (such as
Internet Explorer and FireFox).
This Digest implementation has been designed to avoid needing to store session state
between invocations. All session management information is stored in the "nonce" that
is sent to the client by the
DigestAuthenticationEntryPoint.
If authentication is successful, the resulting
org.springframework.security.core.Authentication object will be
placed into the SecurityContextHolder
.
If authentication fails, an
org.springframework.security.web.AuthenticationEntryPoint implementation is called. This must always be
DigestAuthenticationEntryPoint, which will prompt the user to authenticate
again via Digest authentication.
Note there are limitations to Digest authentication, although it is a more
comprehensive and secure solution than Basic authentication. Please see RFC 2617
section 4 for a full discussion on the advantages of Digest authentication over Basic
authentication, including commentary on the limitations that it still imposes.