You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Geoffrey Young <ge...@modperlcookbook.org> on 2002/05/23 20:27:45 UTC

[RFC] Apache::DigestAPI

hi all...

   I wanted to present Apache::DigestAPI as an RFC.  the module can be downloaded here for 
trials:

   http://www.modperlcookbook.org/~geoff/modules/Apache-DigestAPI-0.01.tar.gz

basically, Apache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple API 
for supporting Digest authentication a la mod_digest.c from the Apache distribution.  it 
follows the same path as the API for Basic authentication that mod_perl supports natively,
providing an API so that you can authenticate using something other than the default 
flat-file method provided by auth_digest.

   keep in mind that the current implementation doesn't work with MSIE, so you'll have to 
use something like Opera or Konqueror (or mozilla now, I hear?) to play around with it.

you can find the entire RFC for Digest authentication here (if you're interested):

   ftp://ftp.isi.edu/in-notes/rfc2617.txt

included with Apache::DigestAPI is a subclass called Apache::DigestAPI::Session.  it is an 
interesting but experimental interface that attempts to use the "nonce" part of the Digest 
authentication scheme to store a unique session identifier (instead of in, say, a cookie). 
  it is experimental because I'm still playing with the interface, digesting RFC 2617, 
looking for possible security holes, and (in general) seeing if it can actually work like 
I think it can.  but it is there if anyone is interested in playing around with it for fun 
and folly.

   anyway, the manpages are pretty sparse for the moment, but I plan on fixing them up 
before a real release.  if anyone is interested in the original explanantion of the code 
from the book who doesn't already have it, you can see Recipe 13.8 here:

   http://www.modperlcookbook.org/chapters/13.8.pdf

--Geoff

Re: [RFC] Apache::DigestAPI

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

Andrew Ho wrote:

> Hello,
> 
> GY>Apache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple
> GY>API for supporting Digest authentication a la mod_digest.c from the
> GY>Apache distribution.
> 
> I think this is a great idea. I'm a huge fan of digest authentication as a
> simple basic authentication replacement, and many modern clients now
> support it. One comment, why the odd name? Shouldn't it be
> Apache::AuthDigest or similar? Every library is an API so it seems kind of
> odd to call it Apache::DigestAPI.


well, it's an API in that it doesn't do anything for you except provide an API.  meaning, 
I'd expect Apache::AuthDigest to work as so:

PerlAuthenHandler Apache::AuthDigest

all this module does is provide methods that parallel $r->get_basic_auth_pw() and 
$r->note_basic_auth_failure - you need to use the methods yourself to build an actual 
authentication mechanism.


> 
> GY>keep in mind that the current implementation doesn't work with MSIE, so
> GY>you'll have to use something like Opera or Konqueror (or mozilla now, I
> GY>hear?) to play around with it.
> 
> MSIE does do digest authentication that works with mod_digest.c. And
> Mozilla past 0.9.7 should do digest authentication.
> 

are you sure?  I can't get it to work right now using MSIE 5.00.31.  in fact, I can 
confirm that Apache sends the 401, but MSIE doesn't even display a dialogue box.  Opera 
works just fine.

when I was researching this for the book, it was my understanding that MSIE requires 
parameters not supplied by mod_digest.c (such as "qop") for it's implementation.  some old 
threads on new-httpd on mod_auth_digest.c pointed me in this direction, IIRC.

then there was this recent article:

   http://www.eweek.com/article/0,3658,s=702&a=24177,00.asp

which, even though it seemed to confirm what I had found out, suprised me somewhat, since 
I figured it was old news that MSIE and Apache's "standard" (for lack of a better term) 
Digest implementation didn't play nice together...

--Geoff

Re: [RFC] Apache::DigestAPI

Posted by Andrew Ho <an...@tellme.com>.
Hello,

GY>Apache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple
GY>API for supporting Digest authentication a la mod_digest.c from the
GY>Apache distribution.

I think this is a great idea. I'm a huge fan of digest authentication as a
simple basic authentication replacement, and many modern clients now
support it. One comment, why the odd name? Shouldn't it be
Apache::AuthDigest or similar? Every library is an API so it seems kind of
odd to call it Apache::DigestAPI.

GY>keep in mind that the current implementation doesn't work with MSIE, so
GY>you'll have to use something like Opera or Konqueror (or mozilla now, I
GY>hear?) to play around with it.

MSIE does do digest authentication that works with mod_digest.c. And
Mozilla past 0.9.7 should do digest authentication.

Humbly,

Andrew

----------------------------------------------------------------------
Andrew Ho               http://www.tellme.com/       andrew@tellme.com
Engineer                   info@tellme.com          Voice 650-930-9062
Tellme Networks, Inc.       1-800-555-TELL            Fax 650-930-9101
----------------------------------------------------------------------