jQuery in Action, 3rd edition
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Auth by DIGEST Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Auth by DIGEST" Watch "Auth by DIGEST" New topic

Auth by DIGEST

Tridib Samanta
Ranch Hand

Joined: Apr 28, 2004
Posts: 128
All data between the client and the server is encrypted.

Is the above statement true when you are using DISEST? The answer says it's false. But, according to the servlet spec

Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user
based on a username and a password. However the authentication is performed by
transmitting the password in an encrypted form which is much more secure than the
simple base64 encoding used by Basic Authentication,

Thanks, Tridib
SCJP 1.4, SCWCD 1.4, SCBCD 5.0
Nitesh Kant

Joined: Feb 25, 2007
Posts: 1638

i dont think "all" the data between client and server is encrypted. Digest auth just doesnt pass the password as clear text/base64encoded. Quoting the purpose of Digest access authentication as per Section 3.1.1 of RFC 2617

The protocol referred to as "HTTP/1.0" includes the specification for
a Basic Access Authentication scheme[1]. That scheme is not
considered to be a secure method of user authentication, as the user
name and password are passed over the network in an unencrypted form.
This section provides the specification for a scheme that does not
send the password in cleartext, referred to as "Digest Access

The Digest Access Authentication scheme is not intended to be a
complete answer to the need for security in the World Wide Web. This
scheme provides no encryption of message content.
The intent is
simply to create an access authentication method that avoids the most
serious flaws of Basic authentication.

This link contains the RFC

apigee, a better way to API!
Tridib Samanta
Ranch Hand

Joined: Apr 28, 2004
Posts: 128
Thanks Nitesh!
I agree. Here's the link: http://aspose.com/file-tools
subject: Auth by DIGEST
jQuery in Action, 3rd edition