Skip to content

Implement HTTP Digest Access Authentication#2089

Open
hyperxpro wants to merge 1 commit intomainfrom
digest-auth
Open

Implement HTTP Digest Access Authentication#2089
hyperxpro wants to merge 1 commit intomainfrom
digest-auth

Conversation

@hyperxpro
Copy link
Member

@hyperxpro hyperxpro commented May 10, 2025

RFC 7616 - HTTP Digest Access Authentication

Closes #2068

@hyperxpro hyperxpro mentioned this pull request May 10, 2025
Open
pratt4
pratt4 reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

@pratt4 pratt4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review the comments and let me know If the observations make sense...

If you'd like, I can pick up these fixes and push the changes (along with tests) on top of this PR to help wrap it up faster.
Let me know... happy to help!!!

client/src/main/java/org/asynchttpclient/Realm.java
private void newCnonce(MessageDigest md) {
byte[] b = new byte[8];
ThreadLocalRandom.current().nextBytes(b);
b = md.digest(b);
Copy link
Contributor

@pratt4 pratt4 May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MD5 =16 bytes; SHA-256 = 32 bytes;
rfc7616 doesn’t forbid long nonces... but wont the headers that big can be unwieldy, especially if you’re proxying or logging??

Copy link

@mistressxalexis mistressxalexis Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MD5 =16 bytes; SHA-256 = 32 bytes;

rfc7616 doesn’t forbid long nonces... but wont the headers that big can be unwieldy, especially if you’re proxying or logging??

!

pratt4
pratt4 reviewed May 12, 2025
View reviewed changes
client/src/main/java/org/asynchttpclient/Realm.java
return MessageDigestUtils.pooledMd5MessageDigest();
} else if ("SHA-256".equalsIgnoreCase(algorithm) || "SHA-256-sess".equalsIgnoreCase(algorithm)) {
return MessageDigestUtils.pooledSha256MessageDigest();
} else if ("SHA-512-256".equalsIgnoreCase(algorithm) || "SHA-512-256-sess".equalsIgnoreCase(algorithm)) {
Copy link
Contributor

@pratt4 pratt4 May 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will it handle "SHA-512/256" ??
some server might send with / 's
and even "SHA-512/256" is mentioned in standard names docs... https://docs.oracle.com/en/java/javase/12/docs/specs/security/standard-names.html

client/src/main/java/org/asynchttpclient/Realm.java

private static byte[] md5FromRecycledStringBuilder(StringBuilder sb, MessageDigest md) {
private static byte[] digestFromRecycledStringBuilder(StringBuilder sb, MessageDigest md) {
md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1));
Copy link
Contributor

@pratt4 pratt4 May 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can utf-8 be implemented?

image

client/src/main/java/org/asynchttpclient/Realm.java
return md.digest();
}

private static MessageDigest getDigestInstance(String algorithm) {
Copy link
Contributor

@pratt4 pratt4 May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the server sends multiple algos (eg: md5, sha256..eg)
then public Builder parseWWWAuthenticateHeader(String headerLine) --- can pick the first algo (here m5 can be chosen even if sha256 is present )

it should choose the algo based on strength right??
image

@pratt4 pratt4 mentioned this pull request Jun 12, 2025
Merged
hyperxpro added a commit that referenced this pull request Sep 23, 2025
@pratt4 @hyperxpro
Digest auth new (#2098)
a5763a6 
This is build on top of
#2089

and still some changes are required around new testcases and failing
testcases

closes #2068

---------

Co-authored-by: Aayush Atharva <aayush@shieldblaze.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@pratt4 pratt4 pratt4 left review comments

@mistressxalexis mistressxalexis mistressxalexis left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

any plan for RFC7616?

3 participants

@hyperxpro @pratt4 @mistressxalexis