HTTP 摘要式身份验证

发布于 2024-08-18 15:02:39 字数 1669 浏览 11 评论 0原文

我想将 HTTP 摘要身份验证与存储用户名和加密密码的中央数据库结合使用。这些数据应该由不同的服务器使用，例如 Apache httpd 或 Tomcat。客户端将是使用浏览器和其他应用程序以 RESTful 方式进行通信的人类。

据我了解，我无法使用带有哈希密码的表。只能在明确的位置存储 HA1 = MD5(username:realm:password)需要文本密码 - 正确吗？

另一方面，似乎可以在 Apache httpd 中使用哈希密码：

Apache httpd文档说：

第一个的第一列值查询语句返回的行应该是一个包含加密密码。

它可以与摘要身份验证一起使用吗？没有参数来指定哈希算法。 Apache httpd 如何决定使用哪种算法？

RFC 2617 说：

4.13 存储密码
摘要式身份验证要求验证代理（通常服务器）存储一些派生的数据从用户名和密码在与关联的“密码文件”中给定境界。通常这可能包含由用户名组成的对和 H(A1)，其中 H(A1) 是用户名、领域的消化值，和密码如上所述。

听起来密码必须是明文。

Servlet 3.0 规范说：

虽然密码没有发送到有线、HTTP 摘要式身份验证需要明文密码等价物可用于验证容器，以便它可以验证收到的验证器通过计算预期摘要。

这里的“等效明文密码”是什么？密码哈希？

Tomcat 文档说：

如果使用摘要密码 DIGEST 身份验证，明文用于生成摘要的是不同的。在上面的例子中必须替换 {cleartext-password} 和 {用户名}：{领域}：{明文密码}。例如，在一个开发中环境这可能采取以下形式 testUser:localhost:8080:testPassword。

这里需要一个明文密码。

那么，HTTP Digest 身份验证是否可以与已加密的密码一起使用，还是可以将密码设置为明文？

如果用户从不同的子域请求页面，是否必须重新输入其凭据？

浏览器是在选项卡关闭时删除缓存的密码还是仅在整个关闭时删除？也许这因浏览器而异 - 我感兴趣的是哪个浏览器删除它以及哪个浏览器保留它。

总体问题是，摘要身份验证是否适合我的使用已加密密码的中央用户数据库的场景。或者我应该更好地使用基于会话的单点登录服务？

原文

I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.

As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password) where a clear text password is required - correct?

On the other hand it seems to be possible to use hashed passwords with Apache httpd:

Apache httpd doc says:

The first column value of the first
row returned by the query statement
should be a string containing the
encrypted password.

Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?

RFC 2617 says:

4.13 Storing passwords
Digest authentication requires that
the authenticating agent (usually
the server) store some data derived
from the user's name and password
in a "password file" associated with a
given realm. Normally this might
contain pairs consisting of username
and H(A1), where H(A1) is the
digested value of the username, realm,
and password as described above.

It sounds like the password has to be clear text.

The Servlet 3.0 spec says:

Although passwords are not sent on the
wire, HTTP Digest authentication
requires that clear text password
equivalents be avaialble to the
authenticating container so that it
can validate received authenticators
by calculating the expected digest.

What is the "clear text password equivalent" here? The password hash?

Tomcat documentation says:

If using digested passwords with
DIGEST authentication, the cleartext
used to generate the digest is
different. In the examples above
{cleartext-password} must be replaced
with
{username}:{realm}:{cleartext-password}.
For example, in a development
environment this might take the form
testUser:localhost:8080:testPassword.

Here is a clear text password required.

So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?

Must the user re-enter his credentials if he requests a page from a different subdomain?

Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser - I'd be interested in which browser delete it and which keep it.

The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?

分享到QQ

分享到微博