Hi Devs,
I have hit a wall trying to implement Digest Access Authentication for the
xwiki-webdav module. I'll try to be clear as much as possible.
*+ INTRO* : Digest Access Authentication is used to avoid the transmission
of clear text passwords over http for authenticating users. Instead of the
clear text password, following hash (RESPONSE) will be transferred to the
server by client,
HA1 = MD5(username,password,realm)
HA2 = MD5(method,digestURI)
RESPONSE = MD5(HA1,nonce,HA2)
Here the 'nonce' is some weird string token generated by the server for that
particular client for a particular session. So the RESPONSE instead of the
clear text password will be transferred to the server. For more specific
information about Digest Authentication, you may refer [1].
*+ PROBLEM* : Simply put, the way xwiki handles authentication requires the
presentation of a clear text password by the client (which is not available
with Digest Authentication scheme). What we have with xwiki (on the server
side) is a crypted version of the original password.
One possible solution to overcome this limitation is to store the HA1 value
in our databases (is this possible ?). This is one of the limitations of
Digest Authentication scheme as mentioned in [1] :
*"There is an important problem with implementing Digest access
authentication. This is the requirement that either cleartext passwords or
the HA1 hashes must be known in order to perform client response validation"
*
I would like to know what other developers have to say about this issue, and
possible workarounds ... [?]
Thanks.
- Asiri
[1]
http://en.wikipedia.org/wiki/Digest_access_authentication