Improved DigestAuthenticationFilter Test Coverage

Issue: gh-5462

web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java

@@ -16,14 +16,8 @@
 
 package org.springframework.security.web.authentication.www;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-
 import java.io.IOException;
 import java.util.Map;
-
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -34,6 +28,7 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.TestingAuthenticationToken;
@@ -47,6 +42,11 @@
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.util.StringUtils;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
 /**
  * Tests {@link DigestAuthenticationFilter}.
  *
@@ -110,8 +110,12 @@ private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter,
 	}
 
 	private static String generateNonce(int validitySeconds) {
+		return generateNonce(validitySeconds, KEY);
+	}
+
+	private static String generateNonce(int validitySeconds, String key) {
 		long expiryTime = System.currentTimeMillis() + (validitySeconds * 1000);
-		String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + KEY);
+		String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + key);
 		String nonceValue = expiryTime + ":" + signatureValue;
 
 		return new String(Base64.encodeBase64(nonceValue.getBytes()));
@@ -172,6 +176,22 @@ public void testExpiredNonceReturnsForbiddenWithStaleHeader() throws Exception {
 		assertThat(headerMap.get("stale")).isEqualTo("true");
 	}
 
+	@Test
+	public void doFilterWhenNonceHasBadKeyThenGeneratesError() throws Exception {
+		String badNonce = generateNonce(60, "badkey");
+		String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
+				PASSWORD, "GET", REQUEST_URI, QOP, badNonce, NC, CNONCE);
+
+		request.addHeader("Authorization", createAuthorizationHeader(USERNAME, REALM,
+				badNonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
+
+		MockHttpServletResponse response =
+				executeFilterInContainerSimulator(filter, request, false);
+
+		assertThat(response.getStatus()).isEqualTo(401);
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+	}
+
 	@Test
 	public void testFilterIgnoresRequestsContainingNoAuthorizationHeader()
 			throws Exception {