Implement HTTP Digest Access Authentication #2089
Conversation
| if (end == -1) return null; | ||
| return headerLine.substring(start, end); | ||
| } | ||
|
|
||
| private void newCnonce(MessageDigest md) { | ||
| byte[] b = new byte[8]; | ||
| ThreadLocalRandom.current().nextBytes(b); | ||
| b = md.digest(b); |
There was a problem hiding this comment.
MD5 =16 bytes; SHA-256 = 32 bytes;
rfc7616 doesn’t forbid long nonces... but wont the headers that big can be unwieldy, especially if you’re proxying or logging??
| return MessageDigestUtils.pooledMd5MessageDigest(); | ||
| } else if ("SHA-256".equalsIgnoreCase(algorithm) || "SHA-256-sess".equalsIgnoreCase(algorithm)) { | ||
| return MessageDigestUtils.pooledSha256MessageDigest(); | ||
| } else if ("SHA-512-256".equalsIgnoreCase(algorithm) || "SHA-512-256-sess".equalsIgnoreCase(algorithm)) { |
There was a problem hiding this comment.
will it handle "SHA-512/256" ??
some server might send with / 's
and even "SHA-512/256" is mentioned in standard names docs... https://docs.oracle.com/en/java/javase/12/docs/specs/security/standard-names.html
| } | ||
|
|
||
| private static byte[] md5FromRecycledStringBuilder(StringBuilder sb, MessageDigest md) { | ||
| private static byte[] digestFromRecycledStringBuilder(StringBuilder sb, MessageDigest md) { | ||
| md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1)); |
There was a problem hiding this comment.
can utf-8 be implemented?
| md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1)); | ||
| sb.setLength(0); | ||
| return md.digest(); | ||
| } | ||
|
|
||
| private static MessageDigest getDigestInstance(String algorithm) { |
There was a problem hiding this comment.
if the server sends multiple algos (eg: md5, sha256..eg)
then public Builder parseWWWAuthenticateHeader(String headerLine) --- can pick the first algo (here m5 can be chosen even if sha256 is present )
it should choose the algo based on strength right??
RFC 7616 - HTTP Digest Access Authentication
Closes #2068