From bfd09f76037f3406799aece74e46026a14fe7ebd Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 11 Jul 2012 13:00:06 -0500 Subject: [PATCH] SEC-1905: Added footnote to password encoding for digest authentication Technically digest authentication can allow for encoded passwords, but it needs to be in the correct format. This update adds a footnote to clarify this. Previously the documentation stated that passwords must be in clear text. --- docs/manual/src/docbook/basic-and-digest-auth.xml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/manual/src/docbook/basic-and-digest-auth.xml b/docs/manual/src/docbook/basic-and-digest-auth.xml index 0015e5dd2a..9186d7c4a8 100644 --- a/docs/manual/src/docbook/basic-and-digest-auth.xml +++ b/docs/manual/src/docbook/basic-and-digest-auth.xml @@ -138,9 +138,12 @@ The configured UserDetailsService is needed because DigestAuthenticationFilter must have direct access to the clear text password of a user. Digest Authentication will NOT work if you are using - encoded passwords in your DAO. The DAO collaborator, along with the - UserCache, are typically shared directly with a - DaoAuthenticationProvider. The + encoded passwords in your DAO It is possible to encode the password in the + format HEX( MD5(username:realm:password) ) provided the + DigestAuthenticationFilter.passwordAlreadyEncoded is set to true. + However, other password encodings will not work with digest authentication.. The DAO + collaborator, along with the UserCache, are typically shared directly + with a DaoAuthenticationProvider. The authenticationEntryPoint property must be DigestAuthenticationEntryPoint, so that DigestAuthenticationFilter can obtain the correct