Digest Authentication (Sun Java System Web Server 6.1 SP11 Administrator's Guide)

Sun Java System Web Server 6.1 SP11 Administrator's Guide

Digest Authentication

The Sun Java System Web Server 6.1 can be configured to perform digest authentication using either an LDAP-based or a file-based directory service.

Digest authentication allows the user to verify identity based on username and password without sending the username and password as cleartext. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Web Server.

When the server uses an LDAP-based directory service to perform digest authentication, this value is also computed on the server using the Digest Authentication plug-in, and is there compared against the digest value provided by the client. If the digest values match, the user is authenticated. In order for this process to work, the directory server needs access to the user’s password in cleartext. The Sun Java System Directory Server includes a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form, that can later be decrypted to its original form. Only the Directory Server holds the key to the data.

For LDAP-based digest authentication, you need to enable the reversible password plug-in and the digestauth-specific plug-in included with Sun Java System Web Server 6.1. To configure the web server to process digest authentication, set the digestauth property of the database definition in dbswitch.conf.

The server tries to authenticate against the LDAP database based upon the ACL method specified, as shown in Digest Authentication. If you do not specify an ACL method, the server will use either digest or basic when authentication is required, or basic if authentication is not required. This is the preferred method.

Table 9–1 Digest Authentication Challenge Generation


ACL Method	Digest Authentication Supported by Authentication Database	Digest Authentication Not Supported by Authentication Database
“default” none specified	digest and basic	basic
“basic”	basic	basic
“digest”	digest	ERROR

When processing an ACL with method = digest, the server attempts to authenticate by:

Checking for Authorization request header. If not found, a 401 response is generated with a Digest challenge, and the process ends.
Checking for Authorization type. If Authentication type is Digest then:
- Checks nonce. If not valid, fresh nonce generated by this server, generates a 401 response, and the process stops. If stale, generates 401 response with stale=true, and the process stops.
  
  You can configure the time the nonce remains fresh by changing the value of the parameter DigestStaleTimeout in the magnus.conf file, located in server_root/https-server_name/config/. To set the value, add the following line to magnus.conf:
  
  DigestStaleTimeout seconds
  
  where seconds represents the number of seconds the nonce will remain fresh. After the specified seconds elapse, the nonce expires and new authentication is required from the user.
- Checks realm. If it does not match, generates 401 response, and process stops.
- verifies the existence of user in the LDAP directory if the authentication directory is LDAP-based, or verifies the existence of user in file database if the authentication directory is file-based. If not found, generates 401 response, and the process stops.
- Gets request-digest value from directory server or file database and checks for a match to client’s request-digest. If not, generates 401 response, and process stops.
- Constructs Authorization-Info header and inserts it into server headers.