-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 12/23/2009 2:13 PM, Mark Thomas wrote: > On 23/12/2009 16:49, Christopher Schultz wrote: >> The servlet specification actually makes DIGEST authentication optional >> for spec0compliant containers, which is interesting. There is also no >> (standard) way to configure the algorithm for DIGEST authentication. >> Tomcat allows you to do it using the "digest" attribute of the <Realm> >> element. >> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html > > Not quite. > > digest is (almost) completely orthogonal to DIGEST authentication. > > digest controls whether or not the password stored on the server is held > in plain text or in digest form. It is (almost) independent of the > authentication mechanism used. > > DIGEST is the authentication mechanism between the client and the server. Heh, right. I had indigestion when I was reading all that documentation. Using DIGEST authentication implies no "digest" in the <Realm> because the passwords stored in the database are already hashed (or "digested"). Adding another digest="MD5" will simply re-hash the already-digested credentials. I suppose someone would consider that more secure, since it's got "more security". > Unfortunately, due to the way DIGEST auth works, if you want digested > passwords and DIGEST authentication you have to generate your password > digests slightly differently. Yup: double-digested, like a cow. >> Note that the documentation erroneously enumerates the supported >> algorithms as MD2, MD5, and SHA, though all algorithms supported by the >> JVM are actually allowed (unless "SHA" referrs to all SHA-n varieties). > > You know what I am going to say :). Patches for the documentation are > always welcome. Actually, I'm shocked you'd say something like that :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksyz3sACgkQ9CaO5/Lv0PBBhgCdFY4JYxLTE8qkYdn2SkBsZDxS 5+kAnRnzgATIgdAtv8Lp8Xi7fKEsaTaF =w5us -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org