RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v5]
Weijun Wang
weijun at openjdk.java.net
Mon Mar 14 21:45:54 UTC 2022
On Mon, 14 Mar 2022 13:26:34 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> Michael McMahon has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 17 additional commits since the last revision:
>
> - Merge branch 'master' into md5
> - update after third review round
> - removed swp file
> - update after second review round
> - update
> - update after first review round
> - fix whitespace
> - update property name. add documentation
> - fixed one more test
> - fixed up existing tests using digest auth
> - ... and 7 more: https://git.openjdk.java.net/jdk/compare/4bef4cc9...c55fdd94
LGTM now. It will be even nicer if the known answer tests in RFC 7616 can be included.
-------------
Marked as reviewed by weijun (Reviewer).
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list