RFR: 8281561: Disable http DIGEST mechanism with MD5 and SHA-1 by default [v9]

Michael McMahon michaelm at openjdk.java.net
Mon Mar 28 13:56:53 UTC 2022


> Hi,
> 
> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
> 
> - Michael

Michael McMahon has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 25 additional commits since the last revision:

 - merge branch 'master' into md5
 - Merge branch 'master' into md5
 - forgot update to DigestAuth test
 - latest update
 - Merge branch 'master' into md5
 - delete .swp file
 - incomplete test update
 - made disabledAlgorithms immutable
 - Merge branch 'master' into md5
 - update after third review round
 - ... and 15 more: https://git.openjdk.java.net/jdk/compare/a77604cd...946142f3

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/7688/files
  - new: https://git.openjdk.java.net/jdk/pull/7688/files/b2095e02..946142f3

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=7688&range=08
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=7688&range=07-08

  Stats: 92145 lines in 1153 files changed: 75778 ins; 14325 del; 2042 mod
  Patch: https://git.openjdk.java.net/jdk/pull/7688.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/7688/head:pull/7688

PR: https://git.openjdk.java.net/jdk/pull/7688


More information about the net-dev mailing list