views:

402

answers:

1

I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.

As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password) where a clear text password is required - correct?

On the other hand it seems to be possible to use hashed passwords with Apache httpd:

Apache httpd doc says:

The first column value of the first row returned by the query statement should be a string containing the encrypted password.

Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?

RFC 2617 says:

4.13 Storing passwords

Digest authentication requires that the authenticating agent (usually the server) store some data derived from the user's name and password in a "password file" associated with a given realm. Normally this might contain pairs consisting of username and H(A1), where H(A1) is the digested value of the username, realm, and password as described above.

It sounds like the password has to be clear text.

The Servlet 3.0 spec says:

Although passwords are not sent on the wire, HTTP Digest authentication requires that clear text password equivalents be avaialble to the authenticating container so that it can validate received authenticators by calculating the expected digest.

What is the "clear text password equivalent" here? The password hash?

Tomcat documentation says:

If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword.

Here is a clear text password required.

So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?

Must the user re-enter his credentials if he requests a page from a different subdomain?

Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser - I'd be interested in which browser delete it and which keep it.

The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?

+1  A: 

In this scenario where you have already a database of hashed passwords it's not possible to use digest authentication as far as they were not hashed using the same function.

I think the best solution for you here is create a login page and use cookie sessions to control the privileges of the users. With this solution you get the answer for the other questions:

  • The cookie can be set to be use between subdomains: http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes
  • The session is going to be valid until the users close the browser, the timeout expired or the users click in the logoff button. Never forget to offer this option to your users!!!
Pedro Laguna