I wish to use HTTP Digest Authentication having a central database that stores usernames and encoded passwords. These data should be utilised by different servers like Apache httpd or Tomcat for instance. The clients is going to be humans with browsers along with other programs interacting inside a Peaceful way.

So far as I realize I possibly could not make use of a table with hashed passwords. It is simply possibly to keep HA1 = MD5(username:realm:password) in which a obvious text password is needed - correct?

However it appears to become easy to use hashed passwords with Apache httpd:

Apache httpd doc states:

The very first column worth of the very first row came back through the query statement ought to be a string that contains the encoded password.

Do you use it with digest authentication? There's no parameter to specify the hash formula. So how exactly does Apache httpd choose which formula to make use of?

RFC 2617 states:

4.13 Storing passwords

Digest authentication mandates that the authenticating agent (usually the server) store some data derived in the user's title and password inside a "password file" connected having a given realm. Normally this might contain pairs composed of username and H(A1), where H(A1) is the digested worth of the username, realm, and password as referred to above.

It may sound such as the password needs to be obvious text.

The Servlet 3. spec states:

Although passwords aren't sent around the wire, HTTP Digest authentication mandates that obvious text password counterparts be avaialble towards the authenticating container to ensure that it can validate received authenticators by calculating the expected digest.

What's the "obvious text password equivalent" here? The password hash?

Tomcat documentation states:

If using digested passwords with DIGEST authentication, the cleartext accustomed to create the digest is different. Within the good examples above should be changed with ::. For instance, inside a development atmosphere this may go ahead and take form testUser:localhost:8080:testPassword.

This is a obvious text password needed.

So, can HTTP Digest authentication be utilized with already encoded passwords or possess the passwords to become obvious text?

Must the consumer re-enter his qualifications if he demands a webpage from the different subdomain?

Does the browser remove the cached password once the tab is closed or only if the entire is closed? Maybe this can be different from browser to browser - I'd want to consider which browser remove it and which ensure that it stays.

The general real question is, whether digest authentication is appropriate for my scenario having a central user db with already encoded passwords. Or must i better use session based single sign up service?

Within this scenario in which you have previously a database of hashed passwords you cannot use digest authentication so far as they weren't hashed utilizing the same function.

I believe the very best solution for you personally here's produce a login page and employ cookie periods to manage the rights from the customers. With this particular solution you receive the solution for that other questions:

  • The cookie could be set to become use between subdomains: http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_characteristics
  • The session will probably be valid before the customers close the browser, the timeout expired or even the customers click within the logoff button. Always remember to provide this method for your customers!!!