Re: Message Digest Authentication

Doug MacEachern (dougm@osf.org)
Tue, 12 Mar 1996 10:38:25 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nick Ing-Simmons: "Re: libwww-perl-5b9"
Previous message: Gisle Aas: "Re: libwww-perl-5b9"
Maybe in reply to: Doug MacEachern: "Message Digest Authentication"
Next in thread: Doug MacEachern: "Re: Message Digest Authentication"

At 03:55 PM 3/12/96 +0100, Gisle Aas wrote:
>In message <199603102039.PAA19634@mailbox.osf.org>, Doug MacEachern writes:
>> Here's two patches for LWP::UserAgent and lwp-request to support message
>> digest authentication.  The patches are against the latest b9 release.   
>> It is based on NCSA's implementation and the Digest Access Authentication
>> internet-draft.  It requires Neil Winston's MD5 module version 1.4, there's
>> a new release too (1.5.1), but I haven't looked at it yet.  It doesn't check
>> for the optional 'Digest-MessageDigest' header from the server.  But, as far
>> as I know, NCSA is the only server that supports digest auth, and it doesn't
>> seem to send it, so I think it can wait.  It could also use some code so
>> it's smart enough to send Authorization if it has it for the current netloc,
>> realm and uri, before the server sends a 401.
>
>Cool, thanks.
>
>I have adopted your patches, but I made it obtain its credentials by
>calling get_basic_credentials().   Do you think there are any good
>reasons to have a separate method for this?

What I intended to do was have digest_credentials store 'nextnonce' along
with username and password, and then have get_digest_credentials return
username,password, and nextnonce.  I suppose there doesn't need to be a
seperate method for fetching just the username and password, we could just
add some sort of 'nextnonce' method.  Anyway, this can wait.  NCSA doesn't
send a Digest-MessageDigest header with nextnonce, and if it or other
servers did, we'd just be forced to re-authenticate.  Which, currently
happens no matter what, we really should find the right place for sending
Authorization when we have it for a netloc,realm, and url, before the server
sends a 401.  

Thanks for adopting the patches, I've always thought of 'Basic
Authentication' as 'Possible Identification', with digest auth, there's a
much better chance that people are who they say they are.   

If anyone is interested, I recently put HTTPD-Tools-0.51 on CPAN, with
support for adding users to digest auth databases.  This too, requires
Neil's MD5 module.

>
>It runs perfectly with MD-1.5.1 too.
Great!

Regards,
-Doug

>
>Regards,
>Gisle
>
>

Next message: Nick Ing-Simmons: "Re: libwww-perl-5b9"
Previous message: Gisle Aas: "Re: libwww-perl-5b9"
Maybe in reply to: Doug MacEachern: "Message Digest Authentication"
Next in thread: Doug MacEachern: "Re: Message Digest Authentication"