On Sun, Oct 26, 2008 at 9:11 AM, Asiri Rathnayake < [email protected]> wrote:
As I observed with DAVExplorer, nonce is actually used throughout a session. Upon login, the server generates a nonce value as bellow : nonce = MD5(client_ip,time_stamp,private_key); // source : [Adding Digest Access Authentication to a WebDAV Server< http://www.cs.columbia.edu/%7Ehgs/teaching/ais/1998/projects/WebDAV/report.h...
] and sends this to the client. The client in turn uses this nonce value when generating the RESPONSE hash in all following requests.
... Which is why you can have an external "HTTPS-accessible shadow-login program" invoked once per DAV session, to change Xwiki's password to the MD5Password computed from the nonce/session-key. In my previous email I called this DAV login service "davlogin" (e.g. https://.../davlogin?user=foo&md5pass=0x0123456789ABCDEF ) Of course, this would have side-issues like making web-login to a user account in Xwiki difficult since the password would be set to the last session's Md5Password. I guess you could have another program "davlogout" to restore the normal Xwiki password. And another table in the db to store the regular password. Yes it's a hack. The next question is there a way to accomplish the exact same thing in code to achieve the same goal, but without the hack. For example, by adding a new special parameter to any DAV-originated request, to enable authentication based on a new MD5Password column in the database. The MD5Password would be used for authentication for any requests using the special-parameter (e.g. '?dav=true). Basically the same code used currently that looks up the regular password in Xwiki, should have a switch on if "?dav=true" to select lookup using the MD5Password column or the regular password column. (a pretty simple and trivial/scopable change). Also needed, an external way of setting the user-associated entry in the new MD5Password column to the password for the current DAV session. (akin to https://.../davlogin mentioned above). This new MD5Password db column represents the MD5Passwords for all active DAV sessions on a given wiki, while the rest of xwiki continues to work the same with the old password mechanism, as long as you don't give the new parameter ?dav=true. -- Niels http://nielsmayer.com