Package io.milton.gae

Class AppEngineMemcacheNonceProvider

java.lang.Object
io.milton.gae.AppEngineMemcacheNonceProvider
All Implemented Interfaces:
NonceProvider
public class AppEngineMemcacheNonceProvider extends Object implements NonceProvider
Uses google's memcache implementation to store nonces which are available across the cluster. Note that memcache access is **not secure** so these nonce values will be accessible by other applications. However, the since nonce's are public information anyway (ie they are sent in clear text in http request and responses) then that should not cause any security problems.
Author:
Scott Hernandez

  • Field Details

    • nonceValiditySeconds

      protected final int nonceValiditySeconds

    • enableNonceCountChecking

      protected boolean enableNonceCountChecking

    • memcache

      protected final com.google.appengine.api.memcache.MemcacheService memcache

  • Constructor Details

    • AppEngineMemcacheNonceProvider

      public AppEngineMemcacheNonceProvider(int nonceValiditySeconds)

  • Method Details

    • createNonce

      public String createNonce(Request request)
      Description copied from interface: NonceProvider
      Create and return a nonce value to be used for an authentication session.
      Specified by:
      createNonce in interface NonceProvider
      Parameters:
      request - - the current request
      Returns:
      - some string to be used as a nonce value.

    • getNonceValidity

      public NonceProvider.NonceValidity getNonceValidity(String nonce, Long nc)
      Description copied from interface: NonceProvider
      Check to see if the given nonce is known. If known, is it still valid or has it expired. The request may also be considered invalid if the nonceCount value is non-null and is not greater then any previous value for the valid nonce value.
      Specified by:
      getNonceValidity in interface NonceProvider
      Parameters:
      nonce - - the nonce value given by a client to be checked.
      nc - - may be null for non-auth requests. otherwise this should be a monotonically increasing value. The server should record the previous value and ensure that this value is greater then any previously given.
      Returns:

    • isEnableNonceCountChecking

      public boolean isEnableNonceCountChecking()
      IE seems to send nc (nonce count) parameters out of order. To correctly implement checking we need to record which nonces have been sent, and not assume they will be sent in a monotonically increasing sequence. The quick fix here is to disable checking of the nc param, since other common servers seem to do so to. Note that this will allow replay attacks.
      Returns:

    • setEnableNonceCountChecking

      public void setEnableNonceCountChecking(boolean enableNonceCountChecking)