Proxy HTTP digest authentication request to LDAP server

2018-05-30 07:03:31

Recently we've been working on a project that integrates our Tomcat web server with a couple specific services on a mobile device. One of the things we can do during our interaction with the device (which is over HTTP) is get the device to prompt the user for credentials. After the user has entered their credentials, our server receives an HTTP post that contains the standard HTTP digest authentication headers (Authorization header with nonce, realm, response, etc). No big surprises there.

Our server (by design) doesn't actually contain the passwords for any users. We keep a SHA512 hash of their password. For local users we can start to store the MD5 of the "username:realm:password" when the log in to the application. Is that a common way of dealing with digest auth when you don't store the password?

More importantly we interact with LDAP servers via some JNDI code we've written for authentication. Because the device is forced to authenticate with our server via http and digest is the only supported authorization method, we can't really seem to find a way to use the digest response to authenticate the user via LDAP. Conceptually it doesn't really seem right that you would be able to "proxy" a digest request either. Is there a workflow out there that would allow for this type of "pass through" authentication and if so is it even a good idea?

Thanks!

One approach could be using simple authentication over HTTPS between the client and your server, then using the password against the LDAP server. You don't need to store the password, as it will be provided by the client on each login. For instance, you may verify the password against the stored SHA512(password) , and then pass the clear password to the LDAP server.

If you cannot use HTTPS, or the server is not trusted for knowing the password, things are more complicated, because you cannot compute the SASL response from the provided MD5 digest (unless the LDAP server uses the DIGEST-MD5 mechanism, which is obsolete). In that case, you could proxy the whole SASL authentication exchange between the LDAP server and your client, and have the client send the responses via AJAX. Then, knowledge of the password will be restricted to the client.

链接地址: http://www.djcxy.com/p/3798.html

上一篇: 带有Windows身份验证的XMLHttpRequest SOAP请求

下一篇: 代理HTTP摘要认证请求到LDAP服务器