Comments on: AtomAPI and Authentication

By: Kevin Burton

Kevin Burton — Mon, 01 Sep 2003 23:32:34 +0000

In Apache2 things are much easier to support. Digest authentication is an integral part of the build now.

One downside is that some packages don't enable digest by support nor do they enable .htaccess.

I do agree however that if you can control X-Atom-Authenticated (or whatever header it is) that you can use digest authentication and probably should.

Most decent providers will allow you to tweak .htaccess before they give you access to some servlet or CGI impl.

Another thing to note is that Java does a pretty damn good job of supporting Digest auth if you know what you are doing.

Kevin

By: Greg Reinacker

Greg Reinacker — Wed, 27 Aug 2003 20:02:05 +0000

Keep in mind that we’re completely bypassing the IIS digest implementation, so info you find there isn’t necessarily relevant.

Hmm…a quick read of RFC 2617 indicates that MD5 is the only supported hash algorithm. So that explains why clients wouldn’t understand it with SHA1.

As to why you’re getting a server error, I’m guessing it’s configuration-related…you’d need to run in the debugger to figure out what’s going on. I’d do it, but unfortunately I don’t have time at the moment… :-(

By: Sergio

Sergio — Wed, 27 Aug 2003 19:02:53 +0000

Sure, with MD5 hash all works like a charm ! My IIS even not has Digest turned on. In rfc2617 there is nothing telling what kind of hash to use and I read here(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_advdigestauth.asp)

a suggest that IIS uses MD5 internally to compute hash. Maybe ?

By: Greg Reinacker

Greg Reinacker — Wed, 27 Aug 2003 17:36:36 +0000

Hmm…did you get the original code working first? You need to disable digest in IIS for this code to work at all…

By: Sergio

Sergio — Wed, 27 Aug 2003 15:11:48 +0000

Oh, the 500 error you get if you code a HTTPWebRequest and pass credentials to SHA1 Digest. The 500 says ‘SHA1 not supported’

By: Sergio

Sergio — Wed, 27 Aug 2003 15:09:45 +0000

Hi, Greg, about IIS/SHA1 issue : if I change the algorithm to SHA1 the server returns a 500 Error. Try this : inside EndRequest change algorithm to SHA (or SHA1, I tried both). You cannot login !

By: Greg Reinacker

Greg Reinacker — Tue, 26 Aug 2003 04:43:02 +0000

Joe, I think it’s fairly common. I used to be hosted at Innerhost and later Interland, and in both cases I was able to get other authentication modes turned off on certain directories and get my implementation working there…

By: Joe

Joe — Tue, 26 Aug 2003 04:29:45 +0000

Greg,

I don’t know enough about IIS in the wild, is it common for hosting sites to turn all authentication but anonymous off?

BTW, I think it’s awesome that you’re releasing a .Net implemenation of Digest! I think the more we work to raise awareness of the lack of good authentication in most hosting situations, the faster the situation will improve.

By: Greg Reinacker

Greg Reinacker — Mon, 25 Aug 2003 22:32:42 +0000

I don’t think I understand exactly what you’re asking…can you be more specific?

By: Sergio

Sergio — Mon, 25 Aug 2003 21:12:55 +0000

I didn’t make myself clear : I do know how to hack GetMD5HashBinHex. What I meant is how to change the response from IIS. Am I saying something really stupid ?