I am trying to use a DigestAuthenticator
to secure some parts of an API I am creating using Restlet. In all of the examples, the DigestAuthenticator
expects to wrap a LocalVerifier
that will return the local secret in plain text. Obviously, I do not want to store all of my users' passwords in plain text. How can I use HTTP Digest with Restlet while not providing the local开发者_如何学运维 secret in plain text?
I have written a LocalVerifier
that uses the identifer to query a db and retrieve a sha1'd password, but it doesn't work unless my Verifier
returns the password in plain text.
Any ideas?
So basically I hashed all the passwords on the server side in the database, and I hashed the password on the client side before it was hashed by http digest. Seems like a more secure solution to me anyway.
精彩评论