Implement HTTP Digest Access Authentication #2089
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
pratt4 reviewed May 12, 2025
| if (end == -1) return null; | ||
| return headerLine.substring(start, end); | ||
| } | ||
| private void newCnonce(MessageDigest md) { | ||
| byte[] b = new byte[8]; | ||
| ThreadLocalRandom.current().nextBytes(b); | ||
| b = md.digest(b); |
There was a problem hiding this comment.
MD5 =16 bytes; SHA-256 = 32 bytes;
rfc7616 doesn’t forbid long nonces... but wont the headers that big can be unwieldy, especially if you’re proxying or logging??
pratt4 reviewed May 12, 2025
| return MessageDigestUtils.pooledMd5MessageDigest(); | ||
| } else if ("SHA-256".equalsIgnoreCase(algorithm) || "SHA-256-sess".equalsIgnoreCase(algorithm)) { | ||
| return MessageDigestUtils.pooledSha256MessageDigest(); | ||
| } else if ("SHA-512-256".equalsIgnoreCase(algorithm) || "SHA-512-256-sess".equalsIgnoreCase(algorithm)) { |
There was a problem hiding this comment.
will it handle "SHA-512/256" ??
some server might send with / 's
and even "SHA-512/256" is mentioned in standard names docs... https://docs.oracle.com/en/java/javase/12/docs/specs/security/standard-names.html
| } | ||
| private static byte[] md5FromRecycledStringBuilder(StringBuilder sb, MessageDigest md) { | ||
| private static byte[] digestFromRecycledStringBuilder(StringBuilder sb, MessageDigest md) { | ||
| md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1)); |
| md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1)); | ||
| sb.setLength(0); | ||
| return md.digest(); | ||
| } | ||
| private static MessageDigest getDigestInstance(String algorithm) { |
There was a problem hiding this comment.
if the server sends multiple algos (eg: md5, sha256..eg)
then public Builder parseWWWAuthenticateHeader(String headerLine) --- can pick the first algo (here m5 can be chosen even if sha256 is present )
it should choose the algo based on strength right??
Sign up for free to join this conversation on . Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
RFC 7616 - HTTP Digest Access Authentication
Closes #2068