Making digest authentication usable for HTTP

Darren Oh darren at wans.net
Tue Oct 7 16:21:21 EDT 2008


My understanding of SASL digest authentication is that it is intended  
to be compatible with HTTP digest authentication. However, when  
experimenting with sasl-sample-server I was unable to find some  
capabilities which are necessary for this purpose:

• Ability to specify different realms for password file and  
authentication string. Internet Explorer and Opera try to reuse old  
credentials, even after multiple authentication failures. The only way  
to prevent this is to change the realm.
• Ability to specify connection method. The default SASL connection  
method is Authenticate, which is not used by HTTP.
• Ability to save nonce for future requests. Retrieving a nonce value  
and sending an authorization string by HTTP would be two separate  
requests.
• Ability to start with client data. After receiving the nonce value,  
the client sends an authentication string without waiting for a  
challenge from the server.

I would prefer to use a standard tool for authentication than to  
create a custom program. Are these abilities present in the Cyrus SASL  
library?


More information about the Cyrus-sasl mailing list