AdSense

Monday, April 2, 2018

Setting up HTTP Digest Authentication


SETTING UP HTTP DIGEST AUTHENTICATION

- Layout for this exercise:



- While HTTP Basic Authentication exchanges "username:password" in plain text, just encoded with Base64, however HTTP Digest Authentication sends the credentials encrypted with a MD5 Hash.

- In future posts we'll see how the MD5 is crafted by the Apache server. For now, more information about HTTP Digest Authentication is available here:

https://en.wikipedia.org/wiki/Digest_access_authentication


- Let's set up HTTP Digest Authentication at the Apache web server on the folder "digestauth", located in the web root folder "/var/www/html/":

- First of all, the mod_auth_digest must be installed:



- The utility htdigest creates a file (in this case it is a hidden file named .htdigest) used by Apache to establish the credentials. Three parameters are provided by the user:

     realm: withelist_authority
     username: admin 
     password: ababa



- Checking the content of the hidden file .htdigest:



- Adding some directives to the virtual host configuration file, located at "/etc/apache2/sites-enabled/000-default.conf":



- Note that the directives are specified for the folder "/digestauth", providing its whole path. Also, AuthName must match the realm provided for .htdigest, in this case "whitelist_authority":




- Restarting the web server:



- Checking that the configuration is correct:



- Checking the status of the server:




- Now, in case of providing bad credentials, the server answers with the Unauthorized message:





- However, authenticating with the correct credentials, access to the web resource is available: