Apache – HTTP Digest Authentication

apacheauthenticationdigesthttpSecurity

I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.

As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password) where a clear text password is required – correct?

On the other hand it seems to be possible to use hashed passwords with Apache httpd:

Apache httpd doc says:

The first column value of the first
row returned by the query statement
should be a string containing the
encrypted password.

Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?

RFC 2617 says:

4.13 Storing passwords

Digest authentication requires that
the authenticating agent (usually
the server) store some data derived
from the user's name and password
in a "password file" associated with a
given realm. Normally this might
contain pairs consisting of username
and H(A1), where H(A1) is the
digested value of the username, realm,
and password as described above.

It sounds like the password has to be clear text.

The Servlet 3.0 spec says:

Although passwords are not sent on the
wire, HTTP Digest authentication
requires that clear text password
equivalents be avaialble to the
authenticating container so that it
can validate received authenticators
by calculating the expected digest.

What is the "clear text password equivalent" here? The password hash?

Tomcat documentation says:

If using digested passwords with
DIGEST authentication, the cleartext
used to generate the digest is
different. In the examples above
{cleartext-password} must be replaced
with
{username}:{realm}:{cleartext-password}.
For example, in a development
environment this might take the form
testUser:localhost:8080:testPassword.

Here is a clear text password required.

So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?

Must the user re-enter his credentials if he requests a page from a different subdomain?

Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser – I'd be interested in which browser delete it and which keep it.

The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?

Best Answer

In this scenario where you have already a database of hashed passwords it's not possible to use digest authentication as far as they were not hashed using the same function.

I think the best solution for you here is create a login page and use cookie sessions to control the privileges of the users. With this solution you get the answer for the other questions:

  • The cookie can be set to be use between subdomains: http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes
  • The session is going to be valid until the users close the browser, the timeout expired or the users click in the logoff button. Never forget to offer this option to your users!!!