I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for "algorithm" passed to this method. Does anyone know how I can set this?*
*
-Mark
Mark Leone wrote:
I found a silly classpath error that fixed the problem using RealmBase. I didn't realize that my system still had environment variable %catalina_home% pointing to an old tomcat 4.1.24 directory. So when I opened a command window to generate digest values I was executing RealmBase in tomcat 4.1.24. But guess what. When I digest the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24 and Tomcat 5.5.8 I get different digest values. And DIGEST authentication still doesn't work, in either case. Something very strange is going on here. :(
-Mark
Mark Leone wrote:
Okay, I was using 5.5.7. So I just downloaded the source and built 5.5.8, and things got worse. Digest authentication is not working for me. I believe I've set everything up correctly. Using an HTTP monitor I see a 401 response coming back from Tomcat with a www-authenticate header whose parameters specify digest authentication and identify the realm as JDBCRealm. And I have a digested password that I created by digesting {username}:JDBCRealm:{password} (including the colons- is that correct?), as directed in the how-to documentation. But when I enter that username and password, the authentication fails. Now I used SHA-1 to digest the password, and my <realm/> element in Server.xml identifies SHA as the digest algorithm for digesting passwords. Does this mean that the DIGEST authentication will also be done using SHA-1? Or do I need to specify that somewhere? Am I missing something else?
I said it got worse with 5.5.8 because now I can't even get RealmBase to generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password}
and I get:
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/lo
gging/LogFactory at org.apache.catalina.realm.RealmBase.<clinit>(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails to find LogFactory. I don't see an org\apache\commons path in any of the class directories generated during the build. Do I have a defective build? Was I supposed to download something else?
-Mark
Mark Thomas wrote:
Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK:
Auth: BASIC, FORM, DIGEST Realm: Memory, UserDatabase, JDBC, DataSource Passwords: Cleartext, digested
There is a complication when using digested passwords with the digest realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Mark Leone wrote:
I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser?
I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication.
For the record, I put the following in the Host element in Server.xml
<Context path="/MyApp" docBase="MyApp">
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator"
disableProxyCaching="false" />
</Context>
I put the following in Server.xml's Engine element
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql:///Tomcat_Realm" userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" digest="SHA"/>
And I put the following in my app's web.xml
<security-constraint.../> (elided)
<login-config> <auth-method>DIGEST</auth-method> <realm-name>JDBCRealm</realm-name> </login-config>
<security-role.../> (elided)
And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified "SHA" as the digest algorithm in Server.xml's <realm> element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
