On 24/12/2009 02:18, Christopher Schultz wrote: > On 12/23/2009 2:13 PM, Mark Thomas wrote: >> digest is (almost) completely orthogonal to DIGEST authentication. > >> digest controls whether or not the password stored on the server is held >> in plain text or in digest form. It is (almost) independent of the >> authentication mechanism used. > >> DIGEST is the authentication mechanism between the client and the server. > > Heh, right. I had indigestion when I was reading all that documentation. > Using DIGEST authentication implies no "digest" in the <Realm> because > the passwords stored in the database are already hashed (or "digested"). > Adding another digest="MD5" will simply re-hash the already-digested > credentials. I suppose someone would consider that more secure, since > it's got "more security".
Still not quite right. I'll try again. You can use DIGEST authentication and still have the passwords stored in the database in plain text. Only the Realm's digest attribute controls whether the password is stored in digested form. Only the authentication mechanism (ignoring SSL) determines if the password is transmitted in plain text. BASIC and FORM transmit the password in plain text. DIGEST doesn't. A Realm's digest attribute is independent of the authentication mechanism apart from one situation: if you store passwords in digested form and use DIGEST authentication due to the way DIGEST auth works you have to generate password digests to store in the database slightly differently. This is a pain but there is no way around this. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
