Mark Thomas wrote:
On 24/12/2009 02:18, Christopher Schultz wrote:
On 12/23/2009 2:13 PM, Mark Thomas wrote:
digest is (almost) completely orthogonal to DIGEST authentication.
digest controls whether or not the password stored on the server is held
in plain text or in digest form. It is (almost) independent of the
authentication mechanism used.
DIGEST is the authentication mechanism between the client and the server.
Heh, right. I had indigestion when I was reading all that documentation.
Using DIGEST authentication implies no "digest" in the <Realm> because
the passwords stored in the database are already hashed (or "digested").
Adding another digest="MD5" will simply re-hash the already-digested
credentials. I suppose someone would consider that more secure, since
it's got "more security".
Still not quite right. I'll try again.
You can use DIGEST authentication and still have the passwords stored in
the database in plain text.
Only the Realm's digest attribute controls whether the password is
stored in digested form.
Only the authentication mechanism (ignoring SSL) determines if the
password is transmitted in plain text. BASIC and FORM transmit the
password in plain text. DIGEST doesn't.
A Realm's digest attribute is independent of the authentication
mechanism apart from one situation: if you store passwords in digested
form and use DIGEST authentication due to the way DIGEST auth works you
have to generate password digests to store in the database slightly
differently. This is a pain but there is no way around this.
Maybe this way, to help Chris get it :
;-)
browser <---- HTTP --------> Tomcat <-- Realm --> back-end id storage
Authentication digest digested pw
BASIC or
or not digest clear pw
DIGEST
or
...
a) browser --> GET /url ---> HTTPd (/url = protected resource)
b) browser <-- 401 Auth required -- HTTPd
(type = BASIC or DIGEST)
c) browser pops up login dialog
d) user enters id + pw
e) browser --> GET /url ---> HTTPd
+ header : "Authorization:" (credentials)
The original discussion centers around (b) and (e), in the DIGEST case :
is it possible for server/client to indicate/use another digest method
than MD5, for the browser to send the credentials in the Authorization
header to the server, in (e) ?
My contention is that no existing *browser* supports another DIGEST
method, and that the discussion is thus largely moot.
.. unless the client is not a standard browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
