public static final String DEFAULT_LANG = "default.lang";
            public static final String DEFAULT_CONTENT = "default.content";
            public static final String DEFAULT_DIGEST = "default.digest";
            // xapth.<field>=<value>
        }

        // config.*
        public static class Config {
            public static final String KEEP_ORIGINAL_BODY = "keep.original.body";

      },
      "timestamp": {
        "type": "date",
        "format": "date_optional_time"
      },
      "expires": {
        "type": "date",
        "format": "date_optional_time"
      },
      "digest": {
        "type": "text",
        "index": false
      },
      "doc_id": {
        "type": "keyword"
      },
      "favorite_count": {
        "type": "long"
      },
      "filename": {

            }
        }
        // digest
        final String digest = getSingleNodeValue(document, getDigestXpath(fessConfig, xpathConfigMap), node -> node);
        if (StringUtil.isNotBlank(digest)) {
            putResultDataBody(dataMap, fessConfig.getIndexFieldDigest(), digest);
        } else {
            putResultDataBody(dataMap, fessConfig.getIndexFieldDigest(),

#### Исправление с помощью `secrets.compare_digest()` { #fix-it-with-secrets-compare-digest }

Но в нашем коде мы используем `secrets.compare_digest()`.

Вкратце: сравнение `stanleyjobsox` с `stanleyjobson` займёт столько же времени, сколько и сравнение `johndoe` с `stanleyjobson`. То же относится и к паролю.

                md4.update(passwordHash);
                final byte[] userSessionKey = md4.digest();

                final MessageDigest hmac = Crypto.getHMACT64(userSessionKey);
                hmac.update(sessionNonce);
                final byte[] ntlm2SessionKey = hmac.digest();

                if (getFlag(NTLMSSP_NEGOTIATE_KEY_EXCH)) {
                    this.masterKey = new byte[16];

            testBlock.setOverrideTimeout(5000);
            assertEquals(5000, testBlock.getOverrideTimeout());
        }

        @Test
        @DisplayName("Test digest property")
        void testDigestProperty() {
            testBlock.setDigest(mockDigest);
            assertEquals(mockDigest, testBlock.getDigest());
        }

        @Test

            md.update((byte) (ms_usage >> 8 & 0xFF));
            md.update((byte) (ms_usage >> 16 & 0xFF));
            md.update((byte) (ms_usage >> 24 & 0xFF));
            byte[] dgst = md.digest(data);
            mac.reset();
            mac.init(new SecretKeySpec(dk, HMAC_KEY));
            return mac.doFinal(dgst);
        } finally {
            Arrays.fill(dk, 0, dk.length, (byte) 0);
        }
    }

    }

    private AuthScheme getAuthScheme() {
        final String scheme = getProtocolScheme();
        if (Constants.BASIC.equals(scheme)) {
            return new BasicScheme();
        }
        if (Constants.DIGEST.equals(scheme)) {
            return new DigestScheme();
        }
        if (Constants.NTLM.equals(scheme)) {
            final Properties props = new Properties();

* `http`: Standard-HTTP-Authentifizierungssysteme, einschließlich:
    * `bearer`: ein Header `Authorization` mit dem Wert `Bearer ` plus einem Token. Dies wird von OAuth2 geerbt.
    * HTTP Basic Authentication.
    * HTTP Digest, usw.
* `oauth2`: Alle OAuth2-Methoden zum Umgang mit Sicherheit (genannt „Flows“).
    * Mehrere dieser Flows eignen sich zum Aufbau eines OAuth 2.0-Authentifizierungsanbieters (wie Google, Facebook, X (Twitter), GitHub usw.):

    * A cookie.
* `http`: standard HTTP authentication systems, including:
    * `bearer`: a header `Authorization` with a value of `Bearer ` plus a token. This is inherited from OAuth2.
    * HTTP Basic authentication.
    * HTTP Digest, etc.
* `oauth2`: all the OAuth2 ways to handle security (called "flows").
    * Several of these flows are appropriate for building an OAuth 2.0 authentication provider (like Google, Facebook, X (Twitter), GitHub, etc):