On 23/12/2009 16:49, Christopher Schultz wrote: > The servlet specification actually makes DIGEST authentication optional > for spec0compliant containers, which is interesting. There is also no > (standard) way to configure the algorithm for DIGEST authentication. > Tomcat allows you to do it using the "digest" attribute of the <Realm> > element. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
Not quite. digest is (almost) completely orthogonal to DIGEST authentication. digest controls whether or not the password stored on the server is held in plain text or in digest form. It is (almost) independent of the authentication mechanism used. DIGEST is the authentication mechanism between the client and the server. Unfortunately, due to the way DIGEST auth works, if you want digested passwords and DIGEST authentication you have to generate your password digests slightly differently. > Note that the documentation erroneously enumerates the supported > algorithms as MD2, MD5, and SHA, though all algorithms supported by the > JVM are actually allowed (unless "SHA" referrs to all SHA-n varieties). You know what I am going to say :). Patches for the documentation are always welcome. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
