6.5 HTTP Digest AuthenticationBasic authentication can be used in a secure network environment. However, in an insecure network, such as the Internet, the problem for basic authentication is obvious: A cracker can easily intercept the clear text username and password, and forge the user's identity. A more secure scheme is to use one-way hashes (digests) to carry user credentials. The HTTP Digest Authentication works as follows. The client contacts the server and requests a restricted resource.The server sends a challenge to the client, including a randomly generated nonce value in predefined HTTP headers.The client calculates a hash using its username, password, and the nonce value according to an algorithm defined in the specification.The client resends its request with the new authentication header.The server compares hashes with its own calculations. If the authentication is successful, the client will continue to use the same hash until the server changes the nonce value or the user changes its username and password. Besides eliminating the clear text username and password, the digest authentication scheme has other important benefits. The server knows only the hash of the password but not the password itself. This prevents insider abuses. The server nonce value is embedded in the hash and therefore cannot be forged. This allows the server to have better control over the authentication process. 6.5.1 Code ExampleWe can use the DigestAuthHandler class to make the HttpClient object aware of digest authentication. The implementation of DigestAuthHandler is based on Kenneth Ballard's Open Source package "HttpClient." Code snippet from the DigestAuthHandler class is shown in Chapter 20). Listing 6.8. The DigestAuthHandler class
|