In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

Asked 2 years ago, Updated 2 years ago, 1037 views

We are developing a WebAPI for Digest authentication, but if you set the message digest algorithm to SHA-256, the client side will crash.
Is there something wrong with the server implementation?

language:Java, server:Tomcat 7.0
OS:Windows 10

for both servers and clients

Digest authentication implements WWW-Authenticate header transmission and Authorization header reception in servlets, rather than authentication settings with configuration files such as tomcat web.xml, server.xml, and tomcat-users.xml.
If you use MD5 as the algorithm for the digest, authentication is successful, but if you change it to SHA-256 because it is deprecated, the client will not return any results after sending the WW-Authenticate header.

Example WW-Authenticate Header Sent

WWW-Authenticate: Digest realm="example.com", qop=auth, nonce="f5d6eeccc66664731c72e3300d3dfadf", opaque="56b2ea6d037b522661a3719ec48b7d9a", algorithm=SHA-256

※ algorithm=MD5 will succeed

Client-side behavior

  • For browsers
    Error in Http status 401 without displaying user password dialog.
    Looking at the status of the communication in the developer tool, WWW-Authenticate: appears to have received it, but does not appear to be generating Authorization.

  • For the curl command
    curl-v-k --digest -- user "user:password" "url"
    Curl exits with out of memory message after receiving WWW-Authenticate header

For browsers
Error in Http status 401 without displaying user password dialog.
Looking at the status of the communication in the developer tool, WWW-Authenticate: appears to have received it, but does not appear to be generating Authorization.

For the curl command:
curl-v-k --digest -- user "user:password" "url"
Curl exits with out of memory message after receiving WWW-Authenticate header

java http tomcat java-ee

2022-09-30 21:58

1 Answers

According to English Wikipedia,

However, as of July 2021, none of popular browsers, including Firefox [1] and Chrome, [2] support SHA-asash the function.

Therefore, there seems to be no (major) implementation that supports it.
(appears to be compatible but (#1018))


2022-09-30 21:58

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.