[xwiki-devs] Digest Authentication & XWiki

Hi Devs, I have hit a wall trying to implement Digest Access Authentication for the xwiki-webdav module. I'll try to be clear as much as possible. *+ INTRO* : Digest Access Authentication is used to avoid the transmission of clear text passwords over http for authenticating users. Instead of the clear text password, following hash (RESPONSE) will be transferred to the server by client, HA1 = MD5(username,password,realm) HA2 = MD5(method,digestURI) RESPONSE = MD5(HA1,nonce,HA2) Here the 'nonce' is some weird string token generated by the server for that particular client for a particular session. So the RESPONSE instead of the clear text password will be transferred to the server. For more specific information about Digest Authentication, you may refer [1]. *+ PROBLEM* : Simply put, the way xwiki handles authentication requires the presentation of a clear text password by the client (which is not available with Digest Authentication scheme). What we have with xwiki (on the server side) is a crypted version of the original password. One possible solution to overcome this limitation is to store the HA1 value in our databases (is this possible ?). This is one of the limitations of Digest Authentication scheme as mentioned in [1] : *"There is an important problem with implementing Digest access authentication. This is the requirement that either cleartext passwords or the HA1 hashes must be known in order to perform client response validation" * I would like to know what other developers have to say about this issue, and possible workarounds ... [?] Thanks. - Asiri [1] http://en.wikipedia.org/wiki/Digest_access_authentication