Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP Digest with hashed stored password

i m using HTTP Digest to connect to my Spring application, using the Spring DigestAuthenticationFilter. The application is using Tomcat 7. It works fine with plaintext password (in the database)

My problem is : i want to store the hashed passwords (with a salt if possible), and not in plaintext. But if i understood well, HTTP Digest requires the password to be in plaintext.

Is there a way to change this in Spring Security ?

like image 875
guigui42 Avatar asked Jun 05 '11 23:06

guigui42


People also ask

How does HTTP digest authentication work?

Digest authentication is another authentication type specified in HTTP 1.1. Unlike basic authentication, digest authentication does not require the password to be transmitted. Rather, the client takes the username and password and uses the MD5 hashing algorithm to create a hash, which is then sent to the SQL Server.

Is HTTP Digest secure?

HTTP digest authentication is designed to be more secure than traditional digest authentication schemes, for example "significantly stronger than (e.g.) CRAM-MD5 ..." (RFC 2617). Some of the security strengths of HTTP digest authentication are: The password is not sent clear to the server.

What is the difference between basic and digest authentication?

Digest Authentication communicates credentials in an encrypted form by applying a hash function to: the username, the password, a server supplied nonce value, the HTTP method and the requested URI. Whereas Basic Authentication uses non-encrypted base64 encoding.

Which mechanism can be used to secure basic HTTP or HTTP Digest authentications?

BasicAuthenticationFilter is responsible for processing basic authentication credentials presented in HTTP headers. This can be used for authenticating calls made by Spring remoting protocols (such as Hessian and Burlap), as well as normal browser user agents (such as Firefox and Internet Explorer).


1 Answers

i want to store the hashed passwords (with a salt if possible), and not in plaintext. But if i understood well, HTTP Digest requires the password to be in plaintext.

Is there a way to change this in Spring Security ?

No, this is not changeable, atleast at the time of writing this. The Spring Security documentation on Digest Authentication states the following, where is it quite evident that the passwords have to be in clear text.

The configured UserDetailsService is needed because DigestProcessingFilter must have direct access to the clear text password of a user. Digest Authentication will NOT work if you are using encoded passwords in your DAO.

like image 177
Vineet Reynolds Avatar answered Oct 07 '22 11:10

Vineet Reynolds