Forum OpenACS Q&A: Re: Password in ClearText

27: Re: Password in ClearText (response to 1)
Posted by Andrew Piskorski on
There has been some recent discussion on the AOLserver list about exposing the necessary API hooks so that Digest Authentication could be more easily added. Someone mentioned there that Digest Auth is likely to be needed for many server-to-server protocols that are becoming more popular. (I don't remember if that included just WebDAV like Dave mentions above, or other stuff too.) So on an OpenACS site maybe human users would never use it, but various web services would.

For actual human beings using an OpenACS website, AFAICT SSL on the login page is by far the best solution, and OpenACS already has a very good solution for this, and indeed has had it for many years, since at least ACS 4.0 if not earlier. Andrew S. seems to dislike SSL for this and states that he would prefer Digest auth. without SSL as the default for the login page. Frankly, I don't understand why, his expressed preference there makes no sense at all as far as I can see.

I don't know enough about Digest Auth. to understand Tom's argument that it has different semantics than OpenACS login and so can't work for OpenACS login. If someone could explain that, I'd like to hear it.