added support for Digest Auth

2007-08-21 @ 01:20#

i finally added support for Digest Auth to the exyus framework tonight. went pretty well. i had to hack up some of my existing user/password code to make it fit into the Digest pattern, but it's all cool. it tests well in MSIE7, FF, & Safari for Windows. I've not had a chance to test it w/ Opera or MSIE6, but it should be fine.

one thing that bothers me a bit is that WFetch doesn't authenticate against my Digest implementation. worse, it falls into an endless loop attempting to authenticate. this can be pretty bad, eh? i tested WGET and curl against my implementation and they both worked fine. so i suspect it's problem w/ WFetch. but, if this *can* happen, i need to make sure my site can't get caught in some odd-ball DDOS pattern due to my attempts to improe security!

Now that i have both Basic and Digest support, i need to modify my code to allow clients to select the auth format they wish. for example, try Digest; if that fails, try Basic; if thatfails, give up. not sure of all that, but i'm checking into it.

anyway, i'll be beating up the Digest Auth for a while and hope to post it live this coming weekend. will be nice to move beyond Basic Auth. next up - WSSE!

Updated 2007-08-21

did the right thing and re-read RFC2617 on HTTP Authentication. right there it sez you can pass clients multiple WWW-Authenticate headers and allow the client to decide which scheme to use. of course, they caution *against* Basic Auth (clear-text password, wider attack surface, etc.). but, for now, i'm allowing both Digest and Basic auth. and i'm listing Digest first. i'll continue to beat this up for a while, but it all looks pretty good.