Making digest authentication usable for HTTP

Alexey Melnikov alexey.melnikov at
Fri Oct 10 16:35:19 EDT 2008

Darren Oh wrote:

> My understanding of SASL digest authentication is that it is intended 
> to be compatible with HTTP digest authentication.

In theory yes, but the DIGEST-MD5 is not trying to be compatible with 
Http Digest.
But it can probably be extended to do what you want.

> However, when experimenting with sasl-sample-server I was unable to 
> find some capabilities which are necessary for this purpose:
> • Ability to specify different realms for password file and 
> authentication string.

I know of only 1 realm option. Are you talking about the same thing?

> Internet Explorer and Opera try to reuse old credentials, even after 
> multiple authentication failures. The only way to prevent this is to 
> change the realm.
> • Ability to specify connection method. The default SASL connection 
> method is Authenticate, which is not used by HTTP.

This can be done using sasl_getprop/sasl_setprop API.

> • Ability to save nonce for future requests. Retrieving a nonce value 
> and sending an authorization string by HTTP would be two separate 
> requests.

sasl_getprop/sasl_setprop again. But why do you need to keep server 
nonce constant?

> • Ability to start with client data. After receiving the nonce value, 
> the client sends an authentication string without waiting for a 
> challenge from the server.

I think this functionality is already present.

> I would prefer to use a standard tool for authentication than to 
> create a custom program. Are these abilities present in the Cyrus SASL 
> library?

More information about the Cyrus-sasl mailing list