I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.
As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password) where a clear text password is required - correct?
On the other hand it seems to be possible to use hashed passwords with Apache httpd:
Apache httpd doc says:
The first column value of the first row returned by the query statement should be a string containing the encrypted password.
Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?
RFC 2617 says:
4.13 Storing passwords
Digest authentication requires that the authenticating agent (usually the server) store some data derived from the user's name and password in a "password file" associated with a given realm. Normally this might contain pairs consisting of username and H(A1), where H(A1) is the digested value of the username, realm, and password as described above.
It sounds like the password has to be clear text.
The Servlet 3.0 spec says:
Although passwords are not sent on the wire, HTTP Digest authentication requires that clear text password equivalents be avaialble to the authenticating container so that it can validate received authenticators by calculating the expected digest.
What is the "clear text password equivalent" here? The password hash?
Tomcat documentation says:
If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword.
Here is a clear text password required.
So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?
Must the user re-enter his credentials if he requests a page from a different subdomain?
Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser - I'd be interested in which browser delete it and which keep it.
The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?