Digest authentication

Tue, 03 Nov 2009 18:11:47 -0800 

Sandro,
Sorry I just got around to reviewing the digest auth. code - I have been a bit busy with the text stuff lately, in case you hadn't noticed. :-) 


In any case, I just checked in an update that consolidates HexUtils  
into the MD5 class. As I suspected, most of the methods in that class  
were not used anywhere else and were better suited to that class. You  
will notice that I added a TODO comment to the MD5 class asking why we  
comment out the synchronized initialization block. I am wondering how  
we know it is safe to do that.



More importantly, there are some design issues with  
DigestAuthentication itself. Specifically, in the authenticate()  
method, you attempt to execute the query. This is not correct. The  
authenticate() method is only meant to set the appropriate headers on  
the request itself - it is not allowed to execute the query. You must  
have already attempted to access the resource prior to calling  
authenticate().


See this example:

http://en.wikipedia.org/wiki/Digest_access_authentication


The initial GET should be performed by the application before  
authenticating the query. This will allow you to determine the type of  
authentication used to secure the resource. In this example,  
index.html is protected by digest authentication, as indicated by the  
value of the WWW-Authenticate response header. However, this header  
could also have indicated that the resource was protected by basic  
authentication. Examining the value of the WWW-Authenticate header  
allows your application to determine what type of authentication to use.



Once you know that digest authentication is required, your application  
should create an instance of DigestAuthentication and set the  
appropriate properties on it. These are the values returned with the  
initial server response: realm, qop, nonce, and opaque.  
DigestAuthentication should then use these values to determine how to  
set the value of the Authorization header on the query (username,  
realm, nonce, uri, qop, etc.). This is similar to how  
BasicAuthentication works - it is just a bit more involved.



I see that you have put a lot of work into this feature, and I hope  
that we can include it in Pivot 1.4. If you think that you can make  
the necessary changes within the next few weeks, we should be in  
pretty good shape. Otherwise, let's try to tackle it for 1.4.1 or later.


Thanks,
Greg























					Reply via email to