Springrbua Springrbua - 1 month ago 39
Android Question

Digest authentication in Android using HttpURLConnection

as the question allready says, I am trying to do digest authentication in android.

Until now i have used the

DefaultHttpClient
and it's authentication method (using
UsernamePasswordCredentials
and so on), but it is deprecated since Android 5 and will be removed in Android 6.

So i am about to switch from
DefaultHttpClient
to
HttpUrlConnection
.

Now i am trying to achieve digest authentication, which should work pretty simple as explained here:

Authenticator.setDefault(new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(username, password);
}
});


But the
getPasswordAuthentication
gets never called for some reason.

During my search for this problem i found different posts, saying digest authentication is not supported by the
HttpUrlConnection
in android, but those posts are from 2010-2012, so i am not sure if this is still true. Also we are using
HttpUrlConnection
with digest authentication in our desktop java application, where it does work.

I also found some posts, talking about
OkHttp
.
OkHttp
seems to be used by Android under the hood (to be more specific the
HttpUrlConnectionImpl
). But this
HttpUrlConnectionImpl
is a bit strange, it is not even shown in the Eclipse type hierarchy and i am not able to debug it. Also it should be a
com.squareup.okhttp.internal.huc.HttpUrlConnectionImpl
, while in android it is a
com.android.okhttp.internal.http.HttpUrlConnectionImpl
.

So i am just not able to do digest authentication with this
HttpUrlConnection
in android.

Can anyone tell me how to do that without external libraries?

EDIT:

The server asks for digest authentication:

WWW-Authenticate: Digest realm="Realm Name",domain="/domain",nonce="nonce",algorithm=MD5,qop="auth"


So Basic-Authentication shouldn' work, as the server is asking for digest.

Answer

The answer is, that HttpUrlConnection does not support digest.

You therefore have to implement RFC2617 by yourself.

You can use the following code as a baseline implementation: HTTP Digest Auth for Android.

The steps involve (see RFC2617 for reference):

  • If you get a 401 response, iterate over all WWW-Authenticate headers and parse them:
    • Check if algorithm is MD5 or undefined, (optionally select the auth qop option), otherwise ignore the challenge and go to the next header.
    • Get the credentials using Authenticator.requestPasswordAuthentication.
    • Calculate H(A1) using the username, realm and password.
    • Store the canonical root URL, realm, HA1, username, nonce (+ optionally algorithm, opaque and the client selected qop option if present).
    • Retry the request.
  • On each request, iterate over all realms you have session information stored for by canonical root URL:
    • Calculate H(A2) using the request method and path.
    • Calculate H(A3) using HA1, nonce (+ optionally nc, cnonce, qop) and HA2.
    • Build and add the Authorization header to your HttpUrlConnection.
  • Implement some sort of session pruning.

By using Authenticator, you can make sure, that as soon as HttpUrlConnection supports digest natively, your code is not being used anymore (because you wont receive the 401 in the first place).

This is just a quick summary on how to implement it, for you to get an idea.

If you want to go further you would probably like to implement SHA256 as well: RFC7616