Hi, Thank you for posting this fine explanation and solution so that others may learn. It always makes my day when people figure out good solutions!
Now if the Red Sox win, this will truly be a great day! ;) But a good weekend to all, regardless... Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: Shinobu Kawai [mailto:[EMAIL PROTECTED] >Sent: Friday, October 08, 2004 1:14 AM >To: Tomcat Users List >Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam >e time. > >Hi Phillip, > >Thanks for the information. > >> - Not all browsers supported DIGEST authentication, so you can't gurantee >> that all clients will be able to authenticate... Internet Explorer and >> Knoqueror are two browsers that do support DIGEST authentication. Mozilla >> 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize >> this), but can't authenticate. >This is cleared, since we are using IE 6. > >> - DIGEST authentication doesn't work if the passwords are digested on the >> Tomcat side (so that they can't be read as cleartext) because of the way >> that DIGEST mechanism calculates its digest. First of all the browser >> calculates a digest of the username, the password, the URL, the HTTP >method, >> and a random string sent to it by the server. Likewise, the server >creates a >> digest to verify that the details entered by the user are correct. >However, >> as the password is already digested on the server, and thus completely >> diferent from the cleartext version entered into the browser, the two >> digests will be different, and authentication will fail... >So here's my problem. I looked further into this, and found a >solution, which I would like to share. > >First, if you take a look at the DIGEST authentication spec at > http://www.faqs.org/rfcs/rfc2617.html >You will see in section 3.2.2.2 A1, that for MD5, the hashed result >depends on username, realm and password. Which means, if I couple the >usernames with the realm, it is possible to hash the passwords stored >in the server. > >Next, I found where the A1 is being calculated in Tomcat: > RealmBase#getDigest(String username, String realmName) >If I override this method to return the hashed password, the digested >password and DIGEST authentication should work together. > >In order to test my theory, I have created a Realm that does the >above, extending MemoryRealm: > http://sylow.no- >ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java >I set it in my Context using: > <Context path="/shinobu" docBase="shinobu" >workDir="work\Catalina\localhost\shinobu"> > <Realm className="org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm" >digest="MD5" pathname="conf/shinobu-users.xml" /> > </Context> > >Inside my shinobu-users.xml: > <tomcat-users> > <role rolename="shinobu.admin"/> > <user username="md5a1_admin" >password="57348f05c8378963c2d52ec456f6b6fd" roles="shinobu.admin"/> > </tomcat-users> >The password is "md5a1_admin:Shinobu's domain:shinobu_admin" digested with >MD5. > >I set authentication to DIGEST in my web.xml: > <web-app> > <security-constraint> > <web-resource-collection> > <url-pattern>/admin/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>shinobu.admin</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>DIGEST</auth-method> > <realm-name>Shinobu's domain</realm-name> > </login-config> > <security-role> > <role-name>shinobu.admin</role-name> > </security-role> > </web-app> > >I access http://localhost:8080/shinobu/admin/ and wholla! It works! > >Best regards, >-- Shinobu Kawai > >-- >Shinobu Kawai <[EMAIL PROTECTED]> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
