Thanks a lot for everyone's reply. I use the JDBCRealm and I store the users information and roles information in the database,such as Oracle. then in my application set the security part in the web.xml,which has an auth-method with DIGEST. So,the username and password that the user input in the remote client with an browser will be digested,and sent to the server side. Is that right?
> Date: Tue, 30 Oct 2007 18:33:08 -0400> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: [tomcat]How to decrypt the DIGEST > authentication?> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Roger,> > > Roger Parkinson wrote:> > Think about it the other way around. User types > cleartext password,> > tomcat's authentication digests it and then compares > with what is on the> > database.> > They're talking about HTTP Auth, not > Realms and stuff like that. You are> talking about using a crypto digest of > passwords in a database. HTTP> DIGEST is different from that:> > > http://en.wikipedia.org/wiki/Digest_access_authentication> > Unfortunately, > when using DIGEST authentication, the server either needs> to store the > cleartext password or be very careful about retaining> special information > that is relevant to DIGEST auth.> > - -chris> > -----BEGIN PGP > SIGNATURE-----> Version: GnuPG v1.4.7 (MingW32)> Comment: Using GnuPG with > Mozilla - http://enigmail.mozdev. org> > iD8DBQFHJ7Ej9CaO5/Lv0PARAitzAJwPmlCeKlMvZmFa+v7YfJX0XAW2KgCgkiK/> w/GERCvz4C4LArHnlQDKbJ8=> =eYNx> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
