authenticate_or_request_with_http_digest(realm = "Application", &password_procedure)public
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 156 def authenticate_or_request_with_http_digest(realm = "Application", &password_procedure) authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm) end
This method has a security hole in Rails 2.3.2. See http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest for explanation.
Rails 2.3.3 should fix the problem.
Testing HTTP Digest authentication is a bit tricky. I wrote a post describing how to accomplish it.
Note also that Digest auth is broken for REST actions using PUT or DELETE. There is an open Lighthouse ticket for this, #2490: