I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.

我想将 HTTP 摘要身份验证与存储用户名和加密密码的中央数据库一起使用。这些数据应该由不同的服务器使用，例如 Apache httpd 或 Tomcat。客户端将是使用浏览器和其他应用程序以 RESTful 方式进行通信的人。

As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password)where a clear text password is required - correct?

据我所知，我不能使用带有散列密码的表。只可能在需要明文密码的地方存储 HA1 = MD5(username:realm:password)- 正确吗？

On the other hand it seems to be possible to use hashed passwords with Apache httpd:

另一方面，似乎可以在 Apache httpd 中使用散列密码：

Apache httpd docsays:

Apache httpd 文档说：

The first column value of the first row returned by the query statement should be a string containing the encrypted password.

查询语句返回的第一行的第一列值应该是包含加密密码的字符串。

Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?

它是否适用于摘要式身份验证？没有参数来指定哈希算法。Apache httpd 如何决定使用哪种算法？

RFC 2617says:

RFC 2617说：

4.13 Storing passwords

Digest authentication requires that the authenticating agent (usually the server) store some data derived from the user's name and password in a "password file" associated with a given realm. Normally this might contain pairs consisting of username and H(A1), where H(A1) is the digested value of the username, realm, and password as described above.

4.13 存储密码

摘要式身份验证要求身份验证代理（通常是服务器）将一些从用户名和密码派生的数据存储在与给定领域关联的“密码文件”中。通常这可能包含由用户名和 H(A1) 组成的对，其中 H(A1) 是如上所述的用户名、领域和密码的摘要值。

It sounds like the password has to be clear text.

听起来密码必须是明文。

The Servlet 3.0 spec says:

Servlet 3.0 规范说：

Although passwords are not sent on the wire, HTTP Digest authentication requires that clear text password equivalents be avaialble to the authenticating container so that it can validate received authenticators by calculating the expected digest.

虽然密码不会通过网络发送，但 HTTP 摘要身份验证要求明文密码等效项可用于身份验证容器，以便它可以通过计算预期摘要来验证接收到的身份验证器。

What is the "clear text password equivalent" here? The password hash?

这里的“明文密码等效”是什么？密码哈希？

Tomcat documentationsays:

Tomcat 文档说：

If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword.

如果将摘要密码与 DIGEST 身份验证一起使用，则用于生成摘要的明文是不同的。在上面的示例中，{cleartext-password} 必须替换为 {username}:{realm}:{cleartext-password}。例如，在开发环境中，这可能采用 testUser:localhost:8080:testPassword 的形式。

Here is a clear text password required.

这里需要一个明文密码。

So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?

那么，HTTP Digest 身份验证是否可以与已加密的密码一起使用，或者密码为明文？

Must the user re-enter his credentials if he requests a page from a different subdomain?

如果用户从不同的子域请求页面，他是否必须重新输入他的凭据？

Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser - I'd be interested in which browser delete it and which keep it.

浏览器是在标签页关闭时还是只在整个关闭时才删除缓存的密码？也许这因浏览器而异 - 我对哪个浏览器删除它和保留它感兴趣。

The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?

总体问题是，摘要式身份验证是否适合我的场景，其中中心用户 db 已加密密码。或者我应该更好地使用基于会话的单点登录服务？