RFR: 8281561: Disable http DIGEST mechanism with MD5 by default
Daniel Fuchs
dfuchs at openjdk.java.net
Fri Mar 4 14:09:07 UTC 2022
On Fri, 4 Mar 2022 13:50:37 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> src/java.base/share/classes/java/net/doc-files/net-properties.html line 227:
>
>> 225: name.</P>
>> 226: </OL>
>> 227: <LI><P><B>{@systemProperty http.auth.digest.reEnabledAlgs}</B> (default: <none>)<BR>
>
> Hello Michael, from what I understand of `doc-files` directory (which is where this html file resides) the `javadoc` tool considers it an unprocessed files location[1]. So would adding the `systemProperty` javadoc taglet here be necessary? I think this won't end up being listed in the system properties index generated by the javadoc tool and I think this line here will just get rendered literally.
>
> [1] https://docs.oracle.com/javase/8/docs/technotes/tools/windows/javadoc.html
This actually seems to work. If you build the docs for JDK mainline, you can search for instance, for `http.keepAlive.time.proxy` in the javadoc search box and it will lead you `net-properties.html`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list