Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- Just a note... The way you are doing it, makes it difficult for normal people to get into the site, but a top calss hacker will get into your site unless you use SSL. The big advantage of using DIGEST as you have done, is yes in makes normal people PAY to get info, but the main thing is that often users will use the same password they use to logon at work. ie their microsoft password and thats where DIGEST is very good. So you giving your site a little protection, but more important, is you stopping a hacker from getting into everything else that use does like their bank account. If this application has critical information moving over the wire... what you are doing is no good :( Have fun. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- - Original Message - From: "zhongliang zhang" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Monday, November 05, 2007 8:16 AM Subject: RE: [tomcat]How to decrypt the DIGEST authentication? thanks for your replying. Now It works if I specify the alg with "MD5",but still does not work with "SHA". and I do not know what does the middle field of "zhangzhongl:JDBCRealm:secret" means,that is,the "JDBCRealm",is it a unchangeable part?I do not think so,for the Tomcat docs give an example of "localhost:8080",but when I changed it to that,my app does not works. === Yes that is misleading I think its picking it up from JDBCRealm in the web.xml file The example in the documentation makes one think its picking up on the domain name... but its picking up on that setting I think its because as convention realm-name is often the site domain name. But that is good because I was thinking when you move it from 8080 you will have to change all the password hashes... Luckily not... just get this setting right now... JDBCRealm in the web.xml file You guys cracked it well done! === And further more,the application has the functions of modifying password and new a user,so I have to deal with the transport of these passwords,too.I planned to user javascript to encrypt the password at these situations,is it a way worth to try? what about encrypting the password use javascript at the login page?is it safe?what I am afraid is someone get the RequestURL,username,password(encrypted),and he write an form,then he can login to my application.Is it possible for some badguy to do this? I know the SSL communication is the best way,while the pity is that I am not allowed to use it. thanks so much for helping me to solve this problem,it confused me for couple of days. === Oops ;) Forget about making the actual communication secure... to work up those encryption algs in Javascript is near impossible. But m thinking ;) I think this will work ok Find a MD5 alg for Javascript The user must login and go to a secure page you pass up the realm-name to the Java script It does... MD5(UserName,Realm,Password) and send it to your servlet. You put it in the dB. It doesnt stop things like replay attacks and all that stuff, but the rest of your site is not secure anyway... A Hash is a one way function so from that aspect, its as good as DIGEST. ie, even if someonw see's the HASH... they still cannot guess the password.. SSL is better, but yes, this is probably as good as its going to get on an open site. === _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks for your replying. Now It works if I specify the alg with "MD5",but still does not work with "SHA". and I do not know what does the middle field of "zhangzhongl:JDBCRealm:secret" means,that is,the "JDBCRealm",is it a unchangeable part?I do not think so,for the Tomcat docs give an example of "localhost:8080",but when I changed it to that,my app does not works. And further more,the application has the functions of modifying password and new a user,so I have to deal with the transport of these passwords,too.I planned to user javascript to encrypt the password at these situations,is it a way worth to try? what about encrypting the password use javascript at the login page?is it safe?what I am afraid is someone get the RequestURL,username,password(encrypted),and he write an form,then he can login to my application.Is it possible for some badguy to do this? I know the SSL communication is the best way,while the pity is that I am not allowed to use it. thanks so much for helping me to solve this problem,it confused me for couple of days. _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- - Original Message - From: "zhongliang zhang" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Monday, November 05, 2007 5:28 AM Subject: RE: [tomcat]How to decrypt the DIGEST authentication? Hi, It still does not work. Here is the trace: I create the SHA1 password from the command prompt: C:\tomcat>java org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm :secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 C:\tomcat>java org.apache.catalina.realm.RealmBase -a SHA zhangzhongl:JDBCRealm: secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 So,I change the password of user "zhangzhongl" to "0743d07d727aae8864569cbcefb9ae788150e8b9",and add the digest attribute to JDBCRealm element which has a value of "SHA". == Hi Zhang, As Mark pointed out it can be done. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords But they want you to make tha HASH like this testUser:localhost:8080:testPassword AND even though the Realm side is giving you a choice of HASH, I have a feeling that TC probably uses MD5 on the Security constraint side I dont know where DIGEST actually lets one choose the HASH so I think its MD5 So I THINK MD5(zhangzhongl:localhost:8080:thePassword) will make the right hash... maybe ;) ie you must make the HASH of all that stuff together, not just the password. Start the cat,and enter the http://localhost:8080/,the dialog popup,and I enter zhangzhongl & secret as the username & password,which made me feel upset is I can not enter the welcome page. I do not know what is the reason,and I try to get some info from the logs,but no logs can provide some useful information for this. If possible,could you do me a favor to send me a simple sample application for test and get this problem solved? thank you so much! _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
---
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---
- Original Message -
From: "Mark Thomas" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Sunday, November 04, 2007 8:24 PM
Subject: Re: [tomcat]How to decrypt the DIGEST authentication?
Mark Thomas wrote:
Johnny Kewl wrote:
I dont think you can do what you want to...
I dont think you can use web based DIGEST authentication.
And then hide passwords in a MD5 digest as well.
Yes you can.
I think web based DIGEST authentication, MUST get at the plain text
password.
No.
That process has to be repeated on the server, and SHA(Password) + plus
some random stuff NOT EQUAL to browser...
I think it has to be a plain text password... unless TC does something
unbelievable...
Not unbelievable. Just plain cold logic. The use of DIGEST auth and
digested passwords are 100% independent.
Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
for details.
No Problem... I'm surprized it can even be done...
The digest spec has random vectors, so it means TC is using domain and
username as those.
--
If using digested passwords with DIGEST authentication, the cleartext used
to generate the digest is different. In the examples above
{cleartext-password} must be replaced with
{username}:{realm}:{cleartext-password}. For example, in a development
environment this might take the form testUser:localhost:8080:testPassword.
---
I was wrong... it can be done ;)
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Hi, It still does not work. Here is the trace: I create the SHA1 password from the command prompt: C:\tomcat>java org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm :secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 C:\tomcat>java org.apache.catalina.realm.RealmBase -a SHA zhangzhongl:JDBCRealm: secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 So,I change the password of user "zhangzhongl" to "0743d07d727aae8864569cbcefb9ae788150e8b9",and add the digest attribute to JDBCRealm element which has a value of "SHA". Start the cat,and enter the http://localhost:8080/,the dialog popup,and I enter zhangzhongl & secret as the username & password,which made me feel upset is I can not enter the welcome page. I do not know what is the reason,and I try to get some info from the logs,but no logs can provide some useful information for this. If possible,could you do me a favor to send me a simple sample application for test and get this problem solved? thank you so much! _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks very much for all your replying. But I can not make it works. I store the password in HexUtils.convert(byte[]) method to store the password in my Oracle database. And I configure the Tomcat JDBCRealm with the "digest" attribute. And I do a test with MySQL database,for it is small and easy. I store the MD5 password in the password field of users table. for example,The user's password is "password" and the MD5 stype password is "3c3b3206267dd4d2039822b76749380"(fake data). Then,I entered my application,the dialog popup,I entered the username and password,while it does not work. I do not know why. can anybody help me? with a example app is more helpful. thanks for all your kind-hearted reply. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote:
> Hi,Mark,
> I have to turn to you again.
> I encounter the problem with configuring the Digested-Password in the
> JDBCRealm.
> The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as
> followed:
> driverName="com.mysql.jdbc.Driver"
> connectionURL="jdbc:mysql://localhost/test" connectionName="root"
> connectionPassword="root" userTable="users" userNameCol="user_name"
> userCredCol="user_pass" userRoleTable="user_roles"
> roleNameCol="role_name" />
> and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint:
>
> all /*
>
> customized
>
> DIGEST
> JDBCRealm
> it works with mysql database which is just for testing.Now in my database
> table users,I insert a record:
> user_name:zhangzhongl
> user_pass:zhangzhongl
> and in the database table,I insert a record:
> role_name:customized
> username:zhangzhongl
> So,it works before I added the digest attribute to the element with
> value "SHA" or "MD5".
OK, so far so good. DIGEST auth is working with cleartext passwords stored
in the database.
> After I added the digest attribute,
> I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then
> start up,
Not sure why you needed to do this.
> after I entered the username zhangzhongl and clear-text password
> (Now,in the database,I stored the password with SHA encrypted form),
> it does now work,which means I can not enter the tomcat welcome page.
I assume you mean it doesn't work here. OK. The important thing is how you
generated the SHA encrypted password. To use DIGEST *and* digested
passwords you need to do:
java org.apache.catalina.realm.RealmBase -a {algorithm}
{username}:{realm}:{cleartext-password}
For you example, assuming a password of secret:
java org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm:secret
Note this should all be on the same line.
Full details at
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
HTH,
Mark
>
> I do not know what the reason is.
> Please do me a favor.
> thanks so much!> >
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords>
> > Mark> >
> -> To
> start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail:
> [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]>
> _
> Connect to the next generation of MSN Messenger
> http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
Mark Thomas wrote: > Johnny Kewl wrote: >> I dont think you can do what you want to... >> I dont think you can use web based DIGEST authentication. >> And then hide passwords in a MD5 digest as well. > > Yes you can. > >> I think web based DIGEST authentication, MUST get at the plain text >> password. > > No. > >> That process has to be repeated on the server, and SHA(Password) + plus >> some random stuff NOT EQUAL to browser... >> I think it has to be a plain text password... unless TC does something >> unbelievable... > > Not unbelievable. Just plain cold logic. The use of DIGEST auth and > digested passwords are 100% independent. Sorry. I mis-spoke. They are not totally independent. If you use DIGEST auth *and* digested passwords then you have to calculate the password to put in your tomcat-users.xml/database/etc differently. See http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords for details. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
Johnny Kewl wrote: > I dont think you can do what you want to... > I dont think you can use web based DIGEST authentication. > And then hide passwords in a MD5 digest as well. Yes you can. > I think web based DIGEST authentication, MUST get at the plain text > password. No. > That process has to be repeated on the server, and SHA(Password) + plus > some random stuff NOT EQUAL to browser... > I think it has to be a plain text password... unless TC does something > unbelievable... Not unbelievable. Just plain cold logic. The use of DIGEST auth and digested passwords are 100% independent. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- Zhong, havnt been following this, so shoot my wife if this is stupid... I dont think you can do what you want to... I dont think you can use web based DIGEST authentication. And then hide passwords in a MD5 digest as well. I think web based DIGEST authentication, MUST get at the plain text password. If you change that to BASIC, THEN you can MD5 the plain text password. DIGEST on the web is better though This is not a Tomcat problem, its just the way DIGEST works The browser taks the PASSWORD + Some Random stuff and gets a HASH from that. That process has to be repeated on the server, and SHA(Password) + plus some random stuff NOT EQUAL to browser... I think it has to be a plain text password... unless TC does something unbelievable... Have to choose its just the way web security works ;( - Original Message - From: "zhongliang zhang" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Friday, November 02, 2007 3:14 AM Subject: RE: [tomcat]How to decrypt the DIGEST authentication? Hi,Mark, I have to turn to you again. I encounter the problem with configuring the Digested-Password in the JDBCRealm. The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as followed: driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost/test" connectionName="root" connectionPassword="root" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint: all /* customized DIGEST JDBCRealm it works with mysql database which is just for testing.Now in my database table users,I insert a record: user_name:zhangzhongl user_pass:zhangzhongl and in the database table,I insert a record: role_name:customized username:zhangzhongl So,it works before I added the digest attribute to the element with value "SHA" or "MD5". After I added the digest attribute,I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up, after I entered the username zhangzhongl and clear-text password(Now,in the database,I stored the password with SHA encrypted form),it does now work,which means I can not enter the tomcat welcome page. I do not know what the reason is. Please do me a favor. thanks so much!> > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords> > Mark> > -> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Hi,Mark, I have to turn to you again. I encounter the problem with configuring the Digested-Password in the JDBCRealm. The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as followed: and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint: all /* customized DIGEST JDBCRealm it works with mysql database which is just for testing.Now in my database table users,I insert a record: user_name:zhangzhongl user_pass:zhangzhongl and in the database table,I insert a record: role_name:customized username:zhangzhongl So,it works before I added the digest attribute to the element with value "SHA" or "MD5". After I added the digest attribute,I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up, after I entered the username zhangzhongl and clear-text password(Now,in the database,I stored the password with SHA encrypted form),it does now work,which means I can not enter the tomcat welcome page. I do not know what the reason is. Please do me a favor. thanks so much!> > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords> > Mark> > -> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
RE: [tomcat]How to decrypt the DIGEST authentication?
Thank you very much for all your reply. I think because of the time-zone between us,while I am in China,we do not have the same online time. so I replied late. I will try that way to specify the element. thanks a lot. I do not know whether that feature works well with Tomcat 5.5,if so,I can use it,or I have to make sure that my system can migrate to Tomcat 6.0. thanks again for your kindness.> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords> > Mark> > -> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED] _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: > Thanks a lot.I think I got another way to solve the group hierarchical > problem,but I am not sure about it. maybe you can help me to confirm it:I > wrote the SQL as followed:create or replace view groupview asselect > usertable.username, > decode(usertable.locked,0,'Authorizers','UnAuthorizers') as groupnamefrom >usertablewhere in the usertable there is a field named locked that > indicates whether the user is locked. so now I can allow everyone in the > database to login to the system if the user is Authorizers,and I judge the > user's role.The reason I do so is because there are existed API for doing all > these and there are more than thousand users in the database,though the > userid and groupid never be the same.Now I got another problem,the password > stored in the database is encrypted,which is a common way,but the encrypting > method is not using some sql script but SHA.So,How can I parse the clear-text > that I input to SHA password and then compare with that sto red > in the database? Is there a way that I can capture the clear-text password > and using SHA to encode it then compare it with the password stored in the > database? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Thanks a lot.I think I got another way to solve the group hierarchical problem,but I am not sure about it. maybe you can help me to confirm it:I wrote the SQL as followed:create or replace view groupview asselect usertable.username, decode(usertable.locked,0,'Authorizers','UnAuthorizers') as groupnamefrom usertablewhere in the usertable there is a field named locked that indicates whether the user is locked. so now I can allow everyone in the database to login to the system if the user is Authorizers,and I judge the user's role.The reason I do so is because there are existed API for doing all these and there are more than thousand users in the database,though the userid and groupid never be the same.Now I got another problem,the password stored in the database is encrypted,which is a common way,but the encrypting method is not using some sql script but SHA.So,How can I parse the clear-text that I input to SHA password and then compare with that stored in the database? Is there a way that I can capture the clear-text password and using SHA to encode it then compare it with the password stored in the database? thanks in advance! > Date: Wed, 31 Oct 2007 10:51:42 +> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > zhongliang zhang wrote:> >> But the application allows > creating new group,how do I solve this problem?> > What problem? You need to > say what the problem is if we are going to be> able to help.> > web.xml > doesn't support the dynamic addition of new groups. Further, the> Realm > doesn't understand the concept of hierarchical groups.> > > Only the member > of group "administrators" have access to the adminitrative page,and other > groups,like "groupA","groupB",... the member of which only have rights to > login to the common page.so in the web.xml,I configure like the following:> > > > all /admin > > Administrators > all /common ?? > > DIGEST JDBCRealm > > > > How should I configure the "??" part? and further more,It has a inherency relationship between groups, If "Administrators" group contains "groupA",then the members of "groupA" have the administrative privilege,too. That means a group's member can be either a group or a user.In the former situation,It does a tree-search to check whether a user belongs to the "Administrators" group,now,if I use a configuration file,how did I do this check?> > There is, however, a way around this. It should be OK for small (few> thousand groups and users) but it might not scale very well. The SQL below> is non-optimal but it should give you the i dea.> > Use Non-Administrators for the common area.> > You'll need to modify your server-side SQL some. Again, I don't have an> Oracle instance to test with so I am going from memory / Google. The syntax> may not be quite right. This assumes that your groupids are never the same> as your userids.> > CREATE or REPLACE VIEW vAdminGroups AS> SELECT groupid> FROM grouptable> START WITH groupname='Administrators'> CONNECT BY PRIOR userid=groupid;> > CREATE or REPLACE VIEW vAdminUsers AS> SELECT u.userid as userid, username, 'Administrators' as groupname> FROM usertable u, vAdminGroups g> WHERE u.userid = g.userid;> > CREATE or REPLACE VIEW vNonAdminUsers AS> SELECT username, 'NonAdministrators' as groupname> FROM usertable> WHERE userid NOT IN (SELECT userid from vAdminUsers);> > CREATE or REPLACE VIEW vUserRole AS> SELECT * FROM vAdminUsers> UNION> SELECT * FROM vNonAdminUsers;> > Hope this helps.> > Mark> > > -- ---> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: >> But the application allows creating new group,how do I solve this problem?> >> > What problem? You need to say what the problem is if we are going to be> >> able to help. web.xml doesn't support the dynamic addition of new groups. Further, the Realm doesn't understand the concept of hierarchical groups. > Only the member of group "administrators" have access to the adminitrative > page,and other groups,like "groupA","groupB",... the member of which only > have rights to login to the common page.so in the web.xml,I configure like > the following: > > all > /admin >Administrators > > all > /common >?? > >DIGEST > JDBCRealm > > How should I configure the "??" part? and further more,It has a inherency > relationship between groups, If "Administrators" group contains "groupA",then > the members of "groupA" have the administrative privilege,too. That means a > group's member can be either a group or a user.In the former situation,It > does a tree-search to check whether a user belongs to the "Administrators" > group,now,if I use a configuration file,how did I do this check? There is, however, a way around this. It should be OK for small (few thousand groups and users) but it might not scale very well. The SQL below is non-optimal but it should give you the idea. Use Non-Administrators for the common area. You'll need to modify your server-side SQL some. Again, I don't have an Oracle instance to test with so I am going from memory / Google. The syntax may not be quite right. This assumes that your groupids are never the same as your userids. CREATE or REPLACE VIEW vAdminGroups AS SELECT groupid FROM grouptable START WITH groupname='Administrators' CONNECT BY PRIOR userid=groupid; CREATE or REPLACE VIEW vAdminUsers AS SELECT u.userid as userid, username, 'Administrators' as groupname FROM usertable u, vAdminGroups g WHERE u.userid = g.userid; CREATE or REPLACE VIEW vNonAdminUsers AS SELECT username, 'NonAdministrators' as groupname FROM usertable WHERE userid NOT IN (SELECT userid from vAdminUsers); CREATE or REPLACE VIEW vUserRole AS SELECT * FROM vAdminUsers UNION SELECT * FROM vNonAdminUsers; Hope this helps. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
> But the application allows creating new group,how do I solve this problem?> > > What problem? You need to say what the problem is if we are going to be> able > to help. Only the member of group "administrators" have access to the adminitrative page,and other groups,like "groupA","groupB",... the member of which only have rights to login to the common page.so in the web.xml,I configure like the following: all /admin Administrators all /common ?? DIGEST JDBCRealm How should I configure the "??" part? and further more,It has a inherency relationship between groups, If "Administrators" group contains "groupA",then the members of "groupA" have the administrative privilege,too. That means a group's member can be either a group or a user.In the former situation,It does a tree-search to check whether a user belongs to the "Administrators" group,now,if I use a configuration file,how did I do this check? Thanks a lot. Your advice has already give me very good instructions. _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: [tomcat]How to decrypt the DIGEST authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, Mark Thomas wrote: > The special role * means all roles defined in your application, > not all authenticated users. You'll have to create an all users group, > assign it to every user and then use that in your web.xml I think it is more precise to say that * means "any role defined in your application", not just any authenticated user. The * must match /something/ -- it cannot match /nothing/. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ+ul9CaO5/Lv0PARAgllAJ0YuuEuQd7VC9R9Q1b0jkbZ9l5gwACgt7Az EK5KD/D7HdYvveRijqzWpLk= =DbcU -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: > thanks a lot. > In fact,I want just one group's user named Administrators can get access to > the administrative page,which can do some privileged operation.The common > users can get access to the common user page,they have limited privileged > operation. > So,should I configure numbers of elements in my > web.xml? Yes. > But the application allows creating new group,how do I solve this problem? What problem? You need to say what the problem is if we are going to be able to help. > In the former situation,I got a login form and a filter to do this, now,I > think I do not need an login form, It isn't clear to what form situation you are referring. If you use DIGEST authentication you do not need a login form. does the filter still can work for the role-check? Or is there any mechanism just needs configuration,not coding? Neither do you need a filter. Tomcat will do all this for you with a correctly configured web.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks a lot. In fact,I want just one group's user named Administrators can get access to the administrative page,which can do some privileged operation.The common users can get access to the common user page,they have limited privileged operation. So,should I configure numbers of elements in my web.xml? But the application allows creating new group,how do I solve this problem?In the former situation,I got a login form and a filter to do this,now,I think I do not need an login form,does the filter still can work for the role-check? Or is there any mechanism just needs configuration,not coding? thanks a lot for your patience! > Date: Wed, 31 Oct 2007 01:47:27 +> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > zhongliang zhang wrote:> > In the database(Oracle),the > tables I used are usertable and grouptable,the association table of them is > groupmembertable:> > usertable has columns of userid,username and password> > > grouptable has columns of groupid,groupname> > groupmembertable has columns > of groupid,userid> > > How do I configure the JDBCRealm in the server.xml of > Tomcat?> > what should be put in the userRoleTable and roleNameCol in this > situation?> > First off, you'll need to create a view as the JDBCRealm > requires the> user role table to contain names, not IDs. Something like (I > don't> have an Oracle instance to check my syntax)> > CREATE or REPLACE VIEW > vUserRole AS> SELECT username, groupname> FROM usertable u, grouptable g, > groupmembertable m> WHERE u.userid=m.userid and g.groupid=m.groupid> > Then > your realm would be:> roleNameCol="groupname"> > userCredCol="password"> userNameCol="username"> userRoleTable="vUserRole"> > userTable="usertable"> />> > > and if I want all the user,regardless of its > group,can login to my application,what should I set in the web.xml in the > following element:admin> > set to *?> > No. The > special role * means all roles defined in your application,> not all > authenticated users. You'll have to create an all users group,> assign it to > every user and then use that in your web.xml> > Mark> > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: > In the database(Oracle),the tables I used are usertable and grouptable,the > association table of them is groupmembertable: > usertable has columns of userid,username and password > grouptable has columns of groupid,groupname > groupmembertable has columns of groupid,userid > How do I configure the JDBCRealm in the server.xml of Tomcat? > what should be put in the userRoleTable and roleNameCol in this situation? First off, you'll need to create a view as the JDBCRealm requires the user role table to contain names, not IDs. Something like (I don't have an Oracle instance to check my syntax) CREATE or REPLACE VIEW vUserRole AS SELECT username, groupname FROM usertable u, grouptable g, groupmembertable m WHERE u.userid=m.userid and g.groupid=m.groupid Then your realm would be: > and if I want all the user,regardless of its group,can login to my > application,what should I set in the web.xml in the following > element:admin > set to *? No. The special role * means all roles defined in your application, not all authenticated users. You'll have to create an all users group, assign it to every user and then use that in your web.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks a lot for your assuring. I got another question to turn to you. In the database(Oracle),the tables I used are usertable and grouptable,the association table of them is groupmembertable: usertable has columns of userid,username and password grouptable has columns of groupid,groupname groupmembertable has columns of groupid,userid How do I configure the JDBCRealm in the server.xml of Tomcat? what should be put in the userRoleTable and roleNameCol in this situation? and if I want all the user,regardless of its group,can login to my application,what should I set in the web.xml in the following element:admin set to *? thanks in advance for your kindness! > Date: Wed, 31 Oct 2007 01:01:04 +> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > zhongliang zhang wrote:> > Thanks a lot for everyone's > reply.> > I use the JDBCRealm and I store the users information and roles > information in the database,such as Oracle.> > then in my application set the > security part in the web.xml,which has an auth-method with DIGEST.> > So,the > username and password that the user input in the remote client with an > browser will be digested,and sent to the server side.> > Is that right?> > > Yes.> > Mark> > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: > Thanks a lot for everyone's reply. > I use the JDBCRealm and I store the users information and roles information > in the database,such as Oracle. > then in my application set the security part in the web.xml,which has an > auth-method with DIGEST. > So,the username and password that the user input in the remote client with an > browser will be digested,and sent to the server side. > Is that right? Yes. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Thanks a lot for everyone's reply. I use the JDBCRealm and I store the users information and roles information in the database,such as Oracle. then in my application set the security part in the web.xml,which has an auth-method with DIGEST. So,the username and password that the user input in the remote client with an browser will be digested,and sent to the server side. Is that right? > Date: Tue, 30 Oct 2007 18:33:08 -0400> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > -BEGIN PGP SIGNED MESSAGE-> Hash: SHA1> > Roger,> > > Roger Parkinson wrote:> > Think about it the other way around. User types > cleartext password,> > tomcat's authentication digests it and then compares > with what is on the> > database.> > They're talking about HTTP Auth, not > Realms and stuff like that. You are> talking about using a crypto digest of > passwords in a database. HTTP> DIGEST is different from that:> > > http://en.wikipedia.org/wiki/Digest_access_authentication> > Unfortunately, > when using DIGEST authentication, the server either needs> to store the > cleartext password or be very careful about retaining> special information > that is relevant to DIGEST auth.> > - -chris> > -BEGIN PGP > SIGNATURE-> Version: GnuPG v1.4.7 (MingW32)> Comment: Using GnuPG with > Mozilla - http://enigmail.mozdev. org> > iD8DBQFHJ7Ej9CaO5/Lv0PARAitzAJwPmlCeKlMvZmFa+v7YfJX0XAW2KgCgkiK/> w/GERCvz4C4LArHnlQDKbJ8=> =eYNx> -END PGP SIGNATURE-> > -> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
Re: [tomcat]How to decrypt the DIGEST authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roger, Roger Parkinson wrote: > Think about it the other way around. User types cleartext password, > tomcat's authentication digests it and then compares with what is on the > database. They're talking about HTTP Auth, not Realms and stuff like that. You are talking about using a crypto digest of passwords in a database. HTTP DIGEST is different from that: http://en.wikipedia.org/wiki/Digest_access_authentication Unfortunately, when using DIGEST authentication, the server either needs to store the cleartext password or be very careful about retaining special information that is relevant to DIGEST auth. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ7Ej9CaO5/Lv0PARAitzAJwPmlCeKlMvZmFa+v7YfJX0XAW2KgCgkiK/ w/GERCvz4C4LArHnlQDKbJ8= =eYNx -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
Think about it the other way around. User types cleartext password, tomcat's authentication digests it and then compares with what is on the database. So when they change the password you need to capture the password in cleartext, digest it yourself, then store it. You don't need to decrypt it, you actually need to ENCRYPT (ie digest) it. take a look at: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html specifically: "If you are writing an application that needs to calculate digested passwords dynamically, call the static |Digest()| method of the |org.apache.catalina.realm.RealmBase| class, passing the cleartext password and the digest algorithm name as arguments. This method will return the digested password." Roger zhongliang zhang wrote: > Hi,everyone, > I got a problem with the DIGEST authentication. > I configured my web.xml as followed: > > > app > /* > > > poweruser > > > > DIGEST > app > > So,if anybody try to access my app,he needs to input his username and > password,while the username and password are stored in the Oracle > database,not configured in the tomcat-users.xml file which located at > $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml > for the app has an function of make a new user. > > Is there anyway to solve this problem? > > P.S. I tried to solve it by coding in my program,like adding the following > code to set the response's status to ask for DIGEST authentication. > ((HttpServletResponse) > response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); > But I do not get a way to decryt the DIGEST information. > > Any advice will be appreciated! > thanks. > _ > News, entertainment and everything you care about at Live.com. Get it now! > http://www.live.com/getstarted.aspx > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: > I checked the url that you supplied to me and expecially the JDBCRealm > part,for I have stored the username and password in a relational database. > So,what I need to do is: > 1.build the users table and the roles table. > 2.configure the org.apache.catalina.realm.JDBCRealm > 3.put the oracle jdbc driver at $tomcat.home/common/lib > 4.configure the web.xml of my application as following fragment: > app/*poweruserDIGESTapp > (What is the realm-name element mean? The JDBCRealm that I just configured?) It can be whatever you want it to be. > then the username and password that client input will be sent to the server > encrypted? Yes. You haven't yet said what the problem is or what isn't working. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
I checked the url that you supplied to me and expecially the JDBCRealm part,for I have stored the username and password in a relational database. So,what I need to do is: 1.build the users table and the roles table. 2.configure the org.apache.catalina.realm.JDBCRealm 3.put the oracle jdbc driver at $tomcat.home/common/lib 4.configure the web.xml of my application as following fragment: app/*poweruserDIGESTapp (What is the realm-name element mean? The JDBCRealm that I just configured?) then the username and password that client input will be sent to the server encrypted? thanks in advance! > Date: Tue, 30 Oct 2007 04:13:01 -0300> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > Hi,> > Digest authentication involves multiple MD5s > including the username,> password, url, realm, random data... Believe me when > I tell you that> there is no way that you will get the password from the > digest (in> fact, it was designed this way so this is not feasible.)> > For > your original question, you may want to check this> > http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html> > Regards,> lg> > > On Oct 30, 2007 1:50 AM, zhongliang zhang <[EMAIL PROTECTED]> wrote:> > > Hi,everyone,> > I got a problem with the DIGEST authentication.> > I > configured my web.xml as followed:> > > > > > > app> > > /*> > > > > > > poweruser> > > > > > > > > DIGEST> > app> > > > > So,if anybody try to access my app,he needs to input his > username and password,while the username and password are stored in the > Oracle database,not configured in the tomcat-users.xml file which located at > $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml > for the app has an function of make a new user.> >> > Is there anyway to > solve this problem?> >> > P.S. I tried to solve it by coding in my > program,like adding the following code to set the response's status to ask > for DIGEST authentication.> > ((HttpServletResponse) > response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);> > But I do not > get a way to decryt the DIGEST information.> >> > Any advice will be > appreciated!> > thanks.> > > _> > News, > entertainment and everything you care about at Live.com. Ge t it now!> > http://www.live.com/getstarted.aspx> > -> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
Re: [tomcat]How to decrypt the DIGEST authentication?
Hi, Digest authentication involves multiple MD5s including the username, password, url, realm, random data... Believe me when I tell you that there is no way that you will get the password from the digest (in fact, it was designed this way so this is not feasible.) For your original question, you may want to check this http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html Regards, lg On Oct 30, 2007 1:50 AM, zhongliang zhang <[EMAIL PROTECTED]> wrote: > Hi,everyone, > I got a problem with the DIGEST authentication. > I configured my web.xml as followed: > > > app > /* > > > poweruser > > > > DIGEST > app > > So,if anybody try to access my app,he needs to input his username and > password,while the username and password are stored in the Oracle > database,not configured in the tomcat-users.xml file which located at > $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml > for the app has an function of make a new user. > > Is there anyway to solve this problem? > > P.S. I tried to solve it by coding in my program,like adding the following > code to set the response's status to ask for DIGEST authentication. > ((HttpServletResponse) > response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); > But I do not get a way to decryt the DIGEST information. > > Any advice will be appreciated! > thanks. > _ > News, entertainment and everything you care about at Live.com. Get it now! > http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
