Loading ...
Sorry, an error occurred while loading the content.
 

HTTP Digest authentication?

Expand Messages
  • Sam Ruby
    Apparently MapPoint.Net requires this. How many clients are capable of handling this? Is this something we should be testing for? Thanks to Matt Griffith for
    Message 1 of 5 , Apr 10 9:09 AM
      Apparently MapPoint.Net requires this. How many clients are capable of
      handling this? Is this something we should be testing for?

      Thanks to Matt Griffith for pointing this out. More details at his weblog:
      http://radio.weblogs.com/0105919/2002/04/09.html

      - Sam Ruby
    • Simon Fell
      ... IMHO, Authentication is one of Web Services biggest problems today (I ve said this many times, now, this shouldn t come as a shock to anyone !). There
      Message 2 of 5 , Apr 10 9:57 PM
        On Wed, 10 Apr 2002 12:09:19 -0400, in soap you wrote:

        >Apparently MapPoint.Net requires this. How many clients are capable of
        >handling this? Is this something we should be testing for?
        >
        >Thanks to Matt Griffith for pointing this out. More details at his weblog:
        >http://radio.weblogs.com/0105919/2002/04/09.html
        >
        >- Sam Ruby

        IMHO, Authentication is one of Web Services biggest problems today
        (I've said this many times, now, this shouldn't come as a shock to
        anyone !). There seems to be 3 different approaches in use

        i) transport level authentication, HTTP basic auth, HTTP digest, NTLM
        over HTTP, various other transport specific authentication mechanisms

        ii) external authentication tokens transported over SOAP, this is the
        direction WS-Security / WS-License takes, take an existing
        authentication token (such as a Kerberos ticket, or x509 cert), and
        transport it to the server in the SOAP message.

        iii) pure SOAP based authentication, simple approaches just put
        username/password in the SOAP message (body or preferably header).
        More secure version use something like Rich & Bob's SOAP Digest
        authentication protocol.

        If you think that messaging / routing / intermediaries are part of
        SOAP future, then option (i) is just short term and will go away,
        leaving ii or iii.


        There seems to be very little visible motion in this particular space,
        IIRC, Passport 3.0 (which was planned to be Kerberos based, and seems
        to fit with (ii) ), was scheduled for later this year, I have no idea
        if that schedule still stands or not.

        I'd be interested to hear what people are doing in this space, its a
        particularly favorite topic of mine at the minute.

        As for Sam's specific question, my gut feel is that support for HTTP
        digest is spotty (although i have no firm evidence). PocketSOAP
        currently supports HTTP basic auth, HTTP digest auth is slated to be
        included in the 1.4 release, as well as possibly NTLM support (I've
        gotten fairly equal # of request for both these)

        Should we be testing this ? it looks like it, what's it relative
        priority to other testing going on ?

        Cheers
        Simon
        www.pocketsoap.com
      • Rich Salz
        ... SAML, security authorizations markup language, is an OASIS effort. It s concept is an authority makes a set of assertions about the sender s identity,
        Message 3 of 5 , Apr 11 4:21 AM
          > ii) external authentication tokens transported over SOAP, this is the
          > direction WS-Security / WS-License takes, take an existing
          > authentication token (such as a Kerberos ticket, or x509 cert), and
          > transport it to the server in the SOAP message.

          SAML, security authorizations markup language, is an OASIS effort. It's
          concept is an authority makes a set of assertions about the sender's
          identity, which recipients use for authorization decisions.

          You can find out more at the OASIS site (www.oasis-open.org)
          /r$
        • John Mani
          ... FWIW, as a creator of WebServices based applications, the only interoperable, depoyable solution I ve seen till now is (i) - transport level security
          Message 4 of 5 , Apr 11 10:03 AM
            >
            > i) transport level authentication, HTTP basic auth, HTTP digest, NTLM
            > over HTTP, various other transport specific authentication mechanisms
            >
            > ii) external authentication tokens transported over SOAP, this is the
            > direction WS-Security / WS-License takes, take an existing
            > authentication token (such as a Kerberos ticket, or x509 cert), and
            > transport it to the server in the SOAP message.
            >
            > iii) pure SOAP based authentication, simple approaches just put
            > username/password in the SOAP message (body or preferably header).
            > More secure version use something like Rich & Bob's SOAP Digest
            > authentication protocol.
            >
            > There seems to be very little visible motion in this particular space,
            > IIRC, Passport 3.0 (which was planned to be Kerberos based, and seems
            > to fit with (ii) ), was scheduled for later this year, I have no idea
            > if that schedule still stands or not.
            >
            > I'd be interested to hear what people are doing in this space, its a
            > particularly favorite topic of mine at the minute.

            FWIW, as a creator of WebServices based applications, the only
            interoperable,
            depoyable solution I've seen till now is (i) - transport level security
            using
            Basic auth over HTTP-S. And that's we're using ... and it works for most of
            our usecases

            -john
          • P.Q.Hung
            Microsoft s implementation of http digest authentication is not compatible with Systinet implementation. Mozilla browser also can t authenticate to the .NET -
            Message 5 of 5 , Apr 16 5:29 AM
              Microsoft's implementation of http digest authentication is not compatible
              with Systinet implementation.
              Mozilla browser also can't authenticate to the .NET - ISS server. IMHO, it
              checks the generated nonce and client nonce that isn't specified by RFC
              2617.

              Can any of you give me more information ?
              Thanks

              ---------------------------------------------------
              P.Q.Hung
              Senior Engineer, Systinet (formerly Idoox)
              http://www.systinet.com


              ----- Original Message -----
              From: "Sam Ruby" <rubys@...>
              To: <soapbuilders@yahoogroups.com>
              Sent: Wednesday, April 10, 2002 6:09 PM
              Subject: [soapbuilders] HTTP Digest authentication?


              > Apparently MapPoint.Net requires this. How many clients are capable of
              > handling this? Is this something we should be testing for?
              >
              > Thanks to Matt Griffith for pointing this out. More details at his
              weblog:
              > http://radio.weblogs.com/0105919/2002/04/09.html
              >
              > - Sam Ruby
              >
              >
              >
              > -----------------------------------------------------------------
              > This group is a forum for builders of SOAP implementations to discuss
              implementation and interoperability issues. Please stay on-topic.
              >
              > To unsubscribe from this group, send an email to:
              > soapbuilders-unsubscribe@yahoogroups.com
              >
              >
              >
              > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
              >
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.