[
https://issues.apache.org/jira/browse/SHIRO-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13935378#comment-13935378
]
Sebastian Audet commented on SHIRO-20:
--------------------------------------
Considering the backend - the solution to this issue may be a bit more involved.
For systems such as LDAP where the password is unavailable and the hash cannot
be safely re-hashed if it using an outdated algorithm, the only solution is to
either update the LDAP system and forward all requests, or to intercept the
request in plain-text once, store the securely hashed value in the LDAP system
as a separate field, and then retrieve the LDAP value on subsequent tries.
This approach can be generalized to support other systems supporting extra
fields such as AD or Stormpath. It also externalizes the risk management to the
external LDAP system, whose passwords and information can be updated or
retrieved at will if LDAP access is achieved.
> Support HTTP Digest Authentication
> ----------------------------------
>
> Key: SHIRO-20
> URL: https://issues.apache.org/jira/browse/SHIRO-20
> Project: Shiro
> Issue Type: New Feature
> Reporter: Les Hazlewood
>
> Just as we support HTTP Basic Authentication via the
> BasicHttpAuthenticationFilter, we should also support HTTP Digest
> Authentication out of the box as well:
> http://en.wikipedia.org/wiki/Digest_access_authentication
--
This message was sent by Atlassian JIRA
(v6.2#6252)
