Digest Authentication and Rest
58 views
Skip to first unread message
bca...@gmail.com
Dec 30, 2008, 1:58:08 PM12/30/08
to cfrest
I wanted to get input from this group on the subject of HTTP Digest
authentication as it pertains to ColdFusion and Rest. You'll notice
that support for Digest Authentication is markedly absent from the
0.8.5 version of PowerNap - and before I tackle this component, I was
curious as to your thoughts on that aspect of a Rest security model.
I suppose a more focused set of questions would be;
1. Have either of you previously implemented digest authentication in
ColdFusion for any type of application - Rest or not.
2. If so, what were the challenges that you encountered?
3. As it relates to a Rest framework - in this case PowerNap, how
would you like to see HTTP digest authentication support implemented?
authentication as it pertains to ColdFusion and Rest. You'll notice
that support for Digest Authentication is markedly absent from the
0.8.5 version of PowerNap - and before I tackle this component, I was
curious as to your thoughts on that aspect of a Rest security model.
I suppose a more focused set of questions would be;
1. Have either of you previously implemented digest authentication in
ColdFusion for any type of application - Rest or not.
2. If so, what were the challenges that you encountered?
3. As it relates to a Rest framework - in this case PowerNap, how
would you like to see HTTP digest authentication support implemented?
websolete
Dec 30, 2008, 2:19:15 PM12/30/08
to cfrest
As far as I know, CFHTTP still doesn't support anything other than
basic auth. Using that (perhaps incorrectly) as a yardstick, I think
I'd have to advocate basic + https rather than digest auth.
How would you implement? I suppose you could just drop down into Java
and pull it off, but seems like a lot of workaround when an https
connection should satisfy much of the plain-text concern. However,
never having used digest auth in any application to date, or needing
to integrate with another system that did, take it with a grain of
salt. I've pretty much have just used basic auth, basic + https, ldap
(simply as an authentication authority to a basic auth frontend), and
Siteminder (which would be wholly unsuitable for REST operations).
basic auth. Using that (perhaps incorrectly) as a yardstick, I think
I'd have to advocate basic + https rather than digest auth.
How would you implement? I suppose you could just drop down into Java
and pull it off, but seems like a lot of workaround when an https
connection should satisfy much of the plain-text concern. However,
never having used digest auth in any application to date, or needing
to integrate with another system that did, take it with a grain of
salt. I've pretty much have just used basic auth, basic + https, ldap
(simply as an authentication authority to a basic auth frontend), and
Siteminder (which would be wholly unsuitable for REST operations).
bca...@gmail.com
Dec 30, 2008, 2:32:23 PM12/30/08
to cfrest
Wow - I'm honestly a little red in the face, I had no idea that CF did
not natively support digest auth. Although that certainly explains
the challenge that it's been to find information on the subject
(related to CF). Thanks for the response and I am in agreement in
that basic over https is a simple and effective solution to Rest
security.
not natively support digest auth. Although that certainly explains
the challenge that it's been to find information on the subject
(related to CF). Thanks for the response and I am in agreement in
that basic over https is a simple and effective solution to Rest
security.
Brian G
Dec 31, 2008, 4:16:56 PM12/31/08
to cfrest
On Dec 30, 11:32 am, bcar...@gmail.com wrote:
> (related to CF). Thanks for the response and I am in agreement in
> that basic over https is a simple and effective solution to Rest
> security.
deal any more these days). I started to write that I couldn't believe
that JRun didn't support digest auth under the sheets but in looking
at the docs, it does say at least JRun 3.0 does not support it.
Weak!
I personally am using simple tokens right now. I've setup a radius-
like 'secret' that both sides could use to hash some of the parameters
to prevent tampering but I'm trying to keep things simple to start.
You might also explore having your web server perform the
authentication... via mod_radius, mod_ldap, mod_auth_postgres,
mod_auth_mysql, mod_auth_*, you could have a farm of Apache servers
performing the digest authentication without bringing ColdFusion into
the mix. I recognize you might want to use that information to handle
authorization but it's an idea.
Brian
Ben Arledge
Jan 12, 2009, 4:17:36 PM1/12/09
to cfrest
I'm having a difficult time trying to get RETS to work with CF, and I
believe it is because I need to use Digest Authentication. Have any
of you ever worked with a RETS system?
believe it is because I need to use Digest Authentication. Have any
of you ever worked with a RETS system?
Brian G
Jan 12, 2009, 4:31:18 PM1/12/09
to cfrest
On Jan 12, 1:17 pm, Ben Arledge <barle...@gmail.com> wrote:
> I'm having a difficult time trying to get RETS to work with CF, and I
> believe it is because I need to use Digest Authentication. Have any
> of you ever worked with a RETS system?
timely post with code from Terrance Ryan on the subject:
http://www.terrenceryan.com/blog/index.cfm/2009/1/8/Digest-Authentication-in-ColdFusion
HTH,
Brian
Ben Arledge
Jan 12, 2009, 5:10:58 PM1/12/09
to cfrest
Thanks Brian. I saw that one a few days ago and I'll admit I'm a
little intimidated. I'm lazy so I was hoping someone might have done
some work with RETS and have something more portable. :) I'll give
it a shot.
> timely post with code from Terrance Ryan on the subject:http://www.terrenceryan.com/blog/index.cfm/2009/1/8/Digest-Authentica...
>
> HTH,
>
> Brian
little intimidated. I'm lazy so I was hoping someone might have done
some work with RETS and have something more portable. :) I'll give
it a shot.
>
> HTH,
>
> Brian
Reply all
Reply to author
Forward
0 new messages