We are developing a WebAPI for Digest authentication, but if you set the message digest algorithm to SHA-256, the client side will crash.
Is there something wrong with the server implementation?
language:Java, server:Tomcat 7.0
OS:Windows 10
Digest authentication implements WWW-Authenticate header transmission and Authorization header reception in servlets, rather than authentication settings with configuration files such as tomcat web.xml, server.xml, and tomcat-users.xml.
If you use MD5 as the algorithm for the digest, authentication is successful, but if you change it to SHA-256 because it is deprecated, the client will not return any results after sending the WW-Authenticate header.
WWW-Authenticate: Digest realm="example.com", qop=auth, nonce="f5d6eeccc66664731c72e3300d3dfadf", opaque="56b2ea6d037b522661a3719ec48b7d9a", algorithm=SHA-256
※ algorithm=MD5 will succeed
For browsers
Error in Http status 401 without displaying user password dialog.
Looking at the status of the communication in the developer tool, WWW-Authenticate: appears to have received it, but does not appear to be generating Authorization.
For the curl command
curl-v-k --digest -- user "user:password" "url"
Curl exits with out of memory message after receiving WWW-Authenticate header
For browsers
Error in Http status 401 without displaying user password dialog.
Looking at the status of the communication in the developer tool, WWW-Authenticate: appears to have received it, but does not appear to be generating Authorization.
For the curl command:
curl-v-k --digest -- user "user:password" "url"
Curl exits with out of memory message after receiving WWW-Authenticate header
According to English Wikipedia,
However, as of July 2021, none of popular browsers, including Firefox [1] and Chrome, [2] support SHA-asash the function.
Therefore, there seems to be no (major) implementation that supports it.
(appears to be compatible but (#1018))
© 2024 OneMinuteCode. All rights reserved.