Summary
When using HTTP Digest Authentication to authenticate web service requests, authentication will fail if the username is not supplied in lower case.
Advisory Release Date
February 19, 2020
Affected Versions
All versions of LightWave Server
Status
This is a known restriction in LightWave Server. No fix is available or planned.
Background
HTTP Digest Authentication requires that the server store the user password using reversible encryption, i.e., the server must be able to decrrypt the user's password into clear text. LightWave Server uses PBKDF2 to store a non-reversible version of the user password.
In order to implement Digest Authentication without reversible encryption, Lightwave Server stores the non-reversible Digest Authentication A1 digest when the user password is set, which is used later during authentication to construct the Request Digest. The A1 digest contains the username, which is converted to lower case when stored. This requires that the client application supply the username in lower case in order for authentication to succeed.
Since there is no plan to implement password storage using reversible encryption in LightWave Server, the need for client applications to supply the username in lower case is a permanent restriction.
Workaround
Digest authentication is no longer the industry preferred method for HTTP authentication, because of the overhead required to implement it, and its use of the MD5 hash which is now considered weak. The preferred method is now Basic authentication over a TLS connection. While the Basic method is not secure when used over an unencrypted connection, when used over TLS, it is secure and performs better than Digest, especially when pre-authentication is used. We recommend using Basic authentication over TLS instead of Digest authentication. The --disable-digest-auth startup option, introduced in LightWave Server 1.0.9, may be used to disable Digest authentication and prevent the server from advertising that Digest authentication is available through the WWW-Authenticate header.
If continued use of Digest authentication is desired, the HTTP client must provide the username in lower case.