I apologize in advance if I am sending this bug report/fix to the wrong group or if the fix has already been implemented.
Using JDK1.3.01 and Tomcat 4.1.12, and sun.net.HttpURLConnection, Digest Authentication does not work. The sun.net.HttpURLConnection class responds to WWW-Authenticate challenge with a Http Authorization header that contains no 'nc', 'nonce' or 'qop' parameters. Although this may not be very efficient, as best as I can tell from the spec, this is a legal response. org.apache.catalina.realm.RealmBase (line 373) calculates: String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":" + cnonce + ":" + qop + ":" + md5a2; These null parameters get added to the string as ":null" and the MD5 encoded result 'serverDigest' does not match the 'clientDigest' and authentication fails. Replacing the 'serverDigestValue' with the following fixes the problem: String serverDigestValue = md5a1 + ":" + nOnce; if (nc!=null) serverDigestValue += ":" + nc; if (cnonce!=null) serverDigestValue += ":" + cnonce; if (qop!=null) serverDigestValue += ":" + qop; serverDigestValue += ":" + md5a2; ================================================================== To reproduce the problem: 1) Start with a Tomcat 4.1.12 site with some pages requiring digest authentication. Assume username,password = "myName","myPassword" 2) Define authenticator public class AuthImpl extends Authenticator { // Authentication Method protected PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication("myName","myPassword".toCharArray()); } } 3) Access the pages with the following Authenticator.setDefault(new AuthImpl()); URL url = new URL("http://localhost/foo.html"); HttpURLConnection uc = url.openConnection(); InputStream in = uc.getInputStream(); byte buf[] = new byte[4096]; int readNum; while ((readNum=in.read(buf,0,4096))>0) { // if (out!=null) out.write(buf,0,readNum); } int status = ((HttpURLConnection)uc).getResponseCode(); Authentication will fail until corrected as described above. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>