It's interesting you know. I read a book called "Professional Apache Tomcat" published by Worx. In Chapter 16 Tomcat Security, the author says
- Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... -----Original Message----- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 1:17 PM To: 'Tomcat Users List' Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e time. I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute <login-config>. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -----Original Message----- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, > Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC -> works! clear text + DIGEST -> works! MD5 digest + BASIC -> works! SHA digest + BASIC -> works! MD5 digest + DIGEST -> doesn't work! SHA digest + DIGEST -> doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai <[EMAIL PROTECTED]> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41657a1d315521660274146!
