Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP Digest with hashed stored password

Tags:

http

security

tomcat

spring-security

i m using HTTP Digest to connect to my Spring application, using the Spring DigestAuthenticationFilter. The application is using Tomcat 7. It works fine with plaintext password (in the database)

My problem is : i want to store the hashed passwords (with a salt if possible), and not in plaintext. But if i understood well, HTTP Digest requires the password to be in plaintext.

Is there a way to change this in Spring Security ?

like image 875
guigui42 Avatar asked Jun 05 '11 23:06

guigui42

People also ask

How does HTTP digest authentication work?

Digest authentication is another authentication type specified in HTTP 1.1. Unlike basic authentication, digest authentication does not require the password to be transmitted. Rather, the client takes the username and password and uses the MD5 hashing algorithm to create a hash, which is then sent to the SQL Server.

Is HTTP Digest secure?

HTTP digest authentication is designed to be more secure than traditional digest authentication schemes, for example "significantly stronger than (e.g.) CRAM-MD5 ..." (RFC 2617). Some of the security strengths of HTTP digest authentication are: The password is not sent clear to the server.

What is the difference between basic and digest authentication?

Digest Authentication communicates credentials in an encrypted form by applying a hash function to: the username, the password, a server supplied nonce value, the HTTP method and the requested URI. Whereas Basic Authentication uses non-encrypted base64 encoding.

Which mechanism can be used to secure basic HTTP or HTTP Digest authentications?

BasicAuthenticationFilter is responsible for processing basic authentication credentials presented in HTTP headers. This can be used for authenticating calls made by Spring remoting protocols (such as Hessian and Burlap), as well as normal browser user agents (such as Firefox and Internet Explorer).

1 Answers

i want to store the hashed passwords (with a salt if possible), and not in plaintext. But if i understood well, HTTP Digest requires the password to be in plaintext.

Is there a way to change this in Spring Security ?

No, this is not changeable, atleast at the time of writing this. The Spring Security documentation on Digest Authentication states the following, where is it quite evident that the passwords have to be in clear text.

The configured UserDetailsService is needed because DigestProcessingFilter must have direct access to the clear text password of a user. Digest Authentication will NOT work if you are using encoded passwords in your DAO.

like image 177
Vineet Reynolds Avatar answered Oct 07 '22 11:10

Vineet Reynolds
Sign in to Comment

Related questions

Send email in secure way
Is it possible to implement user based security on Azure Search?
What's the most reliable way to detect if the user is logging in from a different device than usual?
Where is kSecAttrTokenIDSecureEnclave documented?
How to prevent Cross-site request forgery (CSRF) effectively in PHP
How to force third party service respect the security?
HTTP Slow Post and IIS settings to prevent
Which specific packages are sealed when sealing a .jar?
Questions about the new Google policy (security metadata)
Where should a SPA keep a OAuth 2.0 access token?
What's the best way of cleaning up after a SQL Injection?
JKS protection
'UnauthorizedAccessException' - 'Global\.net clr networking'
Securing Elmah RSS Feeds in ASP.NET website
What are the possible attack vectors for reflected cross site scripting?
Get height of iframe with external URL
Is there a security risk running web apps in debug="true"?
How can I design a secure API/Authentication for mobile apps to access a service?
Confused about OpenSSL non-blocking I/O
Is it safe to store username + passwords in a local SQLite db in Android?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!