Re: [soaplite] Digest authentication
- I found a good article discussing Digest Authentication:
Here is an excerpt:
Digest authentication works this way:
The client requests a URL.
Because that URL is protected, the server replies with error
401, "Authentication required," and among the headers, it
sends a nonce.
The client combines the user's password, the nonce, the
method, and the URL, as described previously, then sends the
result back to the server. The server does the same thing with
the hash of the user's password retrieved from the password
file and checks that its result matches.
A different nonce is sent the next time, so that the Bad Guy can't
use the captured digest to gain access.
Here is an excerpt from Oreilly's Web Client Programming in Perl:
In addition to HTTP 1.0's authentication mechanism, HTTP 1.1
includes digest authentication. Instead of sending the username and
password in the clear, the client computes a checksum of the
username, password, document location, and a unique number given by
the server. If a checksum is sent, the username and password are not
communicated between the client and server. Since each transaction
is given a unique number, the checksum varies from transaction to
transaction, and is less likely to be compromised by "playing back"
authorization information captured from a previous transaction.
In any event, Apache has implemented Digest authentication allowing the
server side to require and enforce Digest authentication. See
That leaves the client side of things to pass Digest credentials to the
Unfortunately there is very little documentation out there for Digest
Authentication over HTTP using Perl. The Authen::DigestMD5 module may help:
But so may the LWP::Authen::Digest.pm module that has no documentation.
Given that Digest authentication is not entirely predictable - in
otherwords, both parties have to be using the same digest algorithm,
then what does the community think is the best way to facilitate this
type of functionality? Would you prefer using a callback method of
somekind that takes as a single argument the nonce sent by the server
being authenticated to?
NOVAK Judit wrote:
> Dear all,
> I want to use Digest authentication method accessing the server
> class. The solutions I found mentioned together with Basic
> authentication (overriding
> SOAP::Transport::HTTP::Client::get_basic_credentials to return
> 'username' => 'password' or using
> $soapobj->transport->credentials('port', 'realm', 'user' =>
> 'password')), did not work for me. I still get the error message:
> client used wrong authentication scheme: Basic for <myscriptlocation>
> Though searching the web quite some time now, I couldn't find
> anything, that could help me :(
> Does anyone have some suggestion/experiance?
> I'm not so expert in SOAP and web authentication...
> Thanks a lot!
> *Yahoo! Groups Links*
> * To visit your group on the web, go to:
> * To unsubscribe from this group, send an email to:
> * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> Service <http://docs.yahoo.com/info/terms/>.