Loading ...
Sorry, an error occurred while loading the content.

Digest authentication

Expand Messages
  • NOVAK Judit
    Dear all, I want to use Digest authentication method accessing the server class. The solutions I found mentioned together with Basic authentication (overriding
    Message 1 of 2 , Feb 24, 2004
    • 0 Attachment
      Dear all,


      I want to use Digest authentication method accessing the server
      class. The solutions I found mentioned together with Basic
      authentication (overriding
      SOAP::Transport::HTTP::Client::get_basic_credentials to return
      'username' => 'password' or using
      $soapobj->transport->credentials('port', 'realm', 'user' => 'password')), did not work for me. I still get the error message:

      client used wrong authentication scheme: Basic for <myscriptlocation>

      Though searching the web quite some time now, I couldn't find anything, that could help me :(

      Does anyone have some suggestion/experiance?
      I'm not so expert in SOAP and web authentication...


      Thanks a lot!
      Judit
    • Byrne Reese
      I found a good article discussing Digest Authentication: http://www.webreference.com/internet/apache/chap5/3/ Here is an excerpt: Digest authentication works
      Message 2 of 2 , Oct 8, 2004
      • 0 Attachment
        I found a good article discussing Digest Authentication:

        http://www.webreference.com/internet/apache/chap5/3/

        Here is an excerpt:

        Digest authentication works this way:

        1.

        The client requests a URL.

        2.

        Because that URL is protected, the server replies with error
        401, "Authentication required," and among the headers, it
        sends a nonce.

        3.

        The client combines the user's password, the nonce, the
        method, and the URL, as described previously, then sends the
        result back to the server. The server does the same thing with
        the hash of the user's password retrieved from the password
        file and checks that its result matches.

        A different nonce is sent the next time, so that the Bad Guy can't
        use the captured digest to gain access.

        Here is an excerpt from Oreilly's Web Client Programming in Perl:

        In addition to HTTP 1.0's authentication mechanism, HTTP 1.1
        includes digest authentication. Instead of sending the username and
        password in the clear, the client computes a checksum of the
        username, password, document location, and a unique number given by
        the server. If a checksum is sent, the username and password are not
        communicated between the client and server. Since each transaction
        is given a unique number, the checksum varies from transaction to
        transaction, and is less likely to be compromised by "playing back"
        authorization information captured from a previous transaction.

        In any event, Apache has implemented Digest authentication allowing the
        server side to require and enforce Digest authentication. See
        |mod_auth_digest.
        |
        That leaves the client side of things to pass Digest credentials to the
        server.

        Unfortunately there is very little documentation out there for Digest
        Authentication over HTTP using Perl. The Authen::DigestMD5 module may help:

        http://search.cpan.org/~salva/Authen-DigestMD5-0.04/DigestMD5.pm

        But so may the LWP::Authen::Digest.pm module that has no documentation.

        Given that Digest authentication is not entirely predictable - in
        otherwords, both parties have to be using the same digest algorithm,
        then what does the community think is the best way to facilitate this
        type of functionality? Would you prefer using a callback method of
        somekind that takes as a single argument the nonce sent by the server
        being authenticated to?

        Any ideas?

        Byrne




        NOVAK Judit wrote:

        > Dear all,
        >
        >
        > I want to use Digest authentication method accessing the server
        > class. The solutions I found mentioned together with Basic
        > authentication (overriding
        > SOAP::Transport::HTTP::Client::get_basic_credentials to return
        > 'username' => 'password' or using
        > $soapobj->transport->credentials('port', 'realm', 'user' =>
        > 'password')), did not work for me. I still get the error message:
        >
        > client used wrong authentication scheme: Basic for <myscriptlocation>
        >
        > Though searching the web quite some time now, I couldn't find
        > anything, that could help me :(
        >
        > Does anyone have some suggestion/experiance?
        > I'm not so expert in SOAP and web authentication...
        >
        >
        > Thanks a lot!
        > Judit
        >
        >
        > ------------------------------------------------------------------------
        > *Yahoo! Groups Links*
        >
        > * To visit your group on the web, go to:
        > http://groups.yahoo.com/group/soaplite/
        >
        > * To unsubscribe from this group, send an email to:
        > soaplite-unsubscribe@yahoogroups.com
        > <mailto:soaplite-unsubscribe@yahoogroups.com?subject=Unsubscribe>
        >
        > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
        > Service <http://docs.yahoo.com/info/terms/>.
        >
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.