Login/Register
Proxy HTTP digest authentication request to LDAP server
Asked Answered
javahttpauthenticationldapdigest-authentication
K

1

9

Recently we've been working on a project that integrates our Tomcat web server with a couple specific services on a mobile device. One of the things we can do during our interaction with the device (which is over HTTP) is get the device to prompt the user for credentials. After the user has entered their credentials, our server receives an HTTP post that contains the standard HTTP digest authentication headers (Authorization header with nonce, realm, response, etc). No big surprises there.

Our server (by design) doesn't actually contain the passwords for any users. We keep a SHA512 hash of their password. For local users we can start to store the MD5 of the "username:realm:password" when the log in to the application. Is that a common way of dealing with digest auth when you don't store the password?

More importantly we interact with LDAP servers via some JNDI code we've written for authentication. Because the device is forced to authenticate with our server via http and digest is the only supported authorization method, we can't really seem to find a way to use the digest response to authenticate the user via LDAP. Conceptually it doesn't really seem right that you would be able to "proxy" a digest request either. Is there a workflow out there that would allow for this type of "pass through" authentication and if so is it even a good idea?

Thanks!

Kaleena answered 4/1, 2014 at 18:42 Comment(0)
D
3

One approach could be using simple authentication over HTTPS between the client and your server, then using the password against the LDAP server. You don't need to store the password, as it will be provided by the client on each login. For instance, you may verify the password against the stored SHA512(password), and then pass the clear password to the LDAP server.

If you cannot use HTTPS, or the server is not trusted for knowing the password, things are more complicated, because you cannot compute the SASL response from the provided MD5 digest (unless the LDAP server uses the DIGEST-MD5 mechanism, which is obsolete). In that case, you could proxy the whole SASL authentication exchange between the LDAP server and your client, and have the client send the responses via AJAX. Then, knowledge of the password will be restricted to the client.

Denison answered 16/1, 2014 at 11:5 Comment(3)
Thanks for the input. Right now the only method of authentication supported by the mobile device is digest. The device essentially ignores what we put in "WWW-Authenticate" if it's not Digest. So using simple (basic?) authentication over HTTPS isn't an option. The suggestion to proxy the SASL authentication exchange is something we'd be interested in. We have only started to dig into SASL in the last few days. Do you have any more resources that could help start our research?Kaleena
If the device supports HTTPS, you may send the password by POST instead of using the HTTP authentication mechanism. For the other approach, it seems there are javascript SASL implementations, but I haven't tried any.Denison
Sadly we cannot control how the device communicates with us. We're interacting with a service on the device via an API. So implementing a JavaScript front end won't do us much good. And there's no way we can modify the behavior of the device to POST us the password.Kaleena

© 2022 - 2024 — McMap. All rights reserved.