Hello, in Tomcat 4.0 it is possible to use BASIC authentication together with encrypted passwords (e.g. adding attribute digest="MD5") to a <Realm/> element, or DIGEST with passwords only stored in clear-text. It's not possible to use DIGEST authentication together with encrypted passwords. The reason is getDigest(username, realmName) in the RealmBase class, which calculates the digest from username + ":" + realmName + ":" + getPassword(username):
protected String getDigest(String username, String realmName) { if (md5Helper == null) { try { md5Helper = MessageDigest.getInstance("MD5"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); throw new IllegalStateException(); } } String digestValue = username + ":" + realmName + ":" + getPassword(username); byte[] digest = md5Helper.digest(digestValue.getBytes()); return md5Encoder.encode(digest); } What about storing those digest values directly inside the password attributes of tomcat-user.xml, e.g. using: java org.apache.catalina.realm.RealmBase \ -a {algorithm} "{username}:{realm}:{cleartext-password}" and first checking if a MessageDigest is available in RealmBase? protected String getDigest(String username, String realmName) { if (md5Helper == null) { try { md5Helper = MessageDigest.getInstance("MD5"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); throw new IllegalStateException(); } } if (hasMessageDigest()) { return getPassword(username); } else { String digestValue = username + ":" + realmName + ":" + getPassword(username); byte[] digest = md5Helper.digest(digestValue.getBytes()); return md5Encoder.encode(digest); } } Best regards, Norbert Klose. ______________________________________________________________________________ FreeMail in der Premiumversion! Mit mehr Speicher, mehr Leistung, mehr Erlebnis und mehr Prämie. Jetzt unter http://club.web.de/?mc=021105
RealmBase.java
Description: JavaScript source
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>