users@jersey.java.net

Re: [Jersey] Secure digest authentication with jersey client + jersey on HttpServer ?

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Mon, 20 Jul 2009 13:21:46 +0200

Hi Morton,

Unfortunately Jersey does not have a server side HTTP Digest filter.
We tend to rely on the underlying container for such features. Perhaps
someone else on this list has a solution, but if not you might want to
consider switching to a different HTTP container that has such support
if you do not want to write your own filter.

Paul.

On Jul 20, 2009, at 1:02 PM, Morten wrote:

> Apparently Jersey client and Jersey running on Java6's
> com.sun.net.httpserver.HttpServer only provides out of the box
> support for basic authentication. Unfortunately, basic
> authentication is outdated and INSECURE as passwords are send in the
> clear over the wire!
>
> Instead I would like to use to much more secure HTTP Digest access
> authentication which is based on nonces instead of passwords and
> work with plain sockets (SSL not necessary). This digest scheme is
> generally recommended to use instead of basic authentication (SSL is
> not an option for me as I am developing an internal application
> intranet where signed SSL certificates are not applicable).
>
> Anyone out there with a solution for digest authentication which
> works with Jersey running on Java6's HttpServer and also working
> with Jersey client (on top of Apache HttpClient) ?
>
> Cheers,
> Morten
>
>
> Audi, Fiat, Peugeot, Skoda, Porsche, Toyota, Ford - Kelkoo har
> brugte biler til en hver smag! Klik her for at sammenligne priser.