The server can be configured to perform digest authentication using either an LDAP-based or a file-based directory service.
Digest authentication allows the user to authenticate based on username and password without sending the username and password as cleartext. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Web Server.
When the server uses an LDAP-based directory service to perform digest authentication, this digest value is also computed on the server side using the Digest Authentication plug-in, and compared against the digest value provided by the client. If the digest values match, the user is authenticated. In order for this to work, your directory server needs access to the user’s password in cleartext. Sun Java System Directory Server includes a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form, that can later be decrypted to its original form. Only the Directory Server holds the key to the data.
For LDAP-based digest authentication, you need to enable the reversible password plug-in and the digestauth-specific plug-in included with the server. To configure your web server to process digest authentication, set the digestauth property of the database definition in dbswitch.conf.
If you do not specify an ACL method, the server will use either digest or basic when authentication is required, or basic if authentication is not required. This is the preferred method.
Table 7–1 Digest Authentication Challenge Generation
ACL Method |
Digest Authentication Supported by Authentication Database |
Digest Authentication Not Supported by Authentication Database |
---|---|---|
“default” none specified |
digest and basic |
basic |
“basic” |
basic |
basic |
“digest” |
digest |
ERROR |
When processing an ACL with method = digest, the server attempts to authenticate by:
Checking for Authorization request header. If not found, a 401 response is generated with a Digest challenge, and the process stops.
Checking for Authorization type. If Authentication type is Digest the server then:
Checks nonce. If not a valid, fresh nonce generated by this server, generates 401 response, and the process stops. If stale, generates 401 response with stale=true, and the process stops.
You can configure the time the nonce remains fresh by changing the value of the parameter DigestStaleTimeout in the magnus.conf file, located in server_root/https-server_name/config/. To set the value, add the following line to magnus.conf:
where seconds represents the number of seconds the nonce will remain fresh. After the specified seconds elapse, the nonce expires and new authentication is required from the user.
Checks realm. If it does not match, generates 401 response, and process stops.
Checks existence of user in LDAP directory if the authentication directory is LDAP-based, or checks existence of user in file database if the authentication directory is file-based. If not found, generates 401 response, and the process stops.
Gets request-digest value from directory server or file database and checks for a match to client’s request-digest. If not, generates 401 response, and process stops.
Constructs Authorization-Info header and inserts this into server headers.