Hi Phillip, Thanks for the information.
> - Not all browsers supported DIGEST authentication, so you can't gurantee > that all clients will be able to authenticate... Internet Explorer and > Knoqueror are two browsers that do support DIGEST authentication. Mozilla > 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize > this), but can't authenticate. This is cleared, since we are using IE 6. > - DIGEST authentication doesn't work if the passwords are digested on the > Tomcat side (so that they can't be read as cleartext) because of the way > that DIGEST mechanism calculates its digest. First of all the browser > calculates a digest of the username, the password, the URL, the HTTP method, > and a random string sent to it by the server. Likewise, the server creates a > digest to verify that the details entered by the user are correct. However, > as the password is already digested on the server, and thus completely > diferent from the cleartext version entered into the browser, the two > digests will be different, and authentication will fail... So here's my problem. I looked further into this, and found a solution, which I would like to share. First, if you take a look at the DIGEST authentication spec at http://www.faqs.org/rfcs/rfc2617.html You will see in section 3.2.2.2 A1, that for MD5, the hashed result depends on username, realm and password. Which means, if I couple the usernames with the realm, it is possible to hash the passwords stored in the server. Next, I found where the A1 is being calculated in Tomcat: RealmBase#getDigest(String username, String realmName) If I override this method to return the hashed password, the digested password and DIGEST authentication should work together. In order to test my theory, I have created a Realm that does the above, extending MemoryRealm: http://sylow.no-ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java I set it in my Context using: <Context path="/shinobu" docBase="shinobu" workDir="work\Catalina\localhost\shinobu"> <Realm className="org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm" digest="MD5" pathname="conf/shinobu-users.xml" /> </Context> Inside my shinobu-users.xml: <tomcat-users> <role rolename="shinobu.admin"/> <user username="md5a1_admin" password="57348f05c8378963c2d52ec456f6b6fd" roles="shinobu.admin"/> </tomcat-users> The password is "md5a1_admin:Shinobu's domain:shinobu_admin" digested with MD5. I set authentication to DIGEST in my web.xml: <web-app> <security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>shinobu.admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> <realm-name>Shinobu's domain</realm-name> </login-config> <security-role> <role-name>shinobu.admin</role-name> </security-role> </web-app> I access http://localhost:8080/shinobu/admin/ and wholla! It works! Best regards, -- Shinobu Kawai -- Shinobu Kawai <[EMAIL PROTECTED]> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
