https://bz.apache.org/bugzilla/show_bug.cgi?id=69852
--- Comment #5 from Grzegorz Grzybek <[email protected]> --- I may understand this decision. I was only hoping that you can mix different digests for different passwords even if you have single, say: <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-384" /> Currently (I checked) when you have the above, password like: <user username="tomcat" password="{SSHA}QxsCbkrZwiLgvTnvdlGW2KI/EfIr4M7y7o4nnG1VqsaRKl6ISrDcYg==" /> simply fails, because the digest used for incoming password is SHA-384. it'd work if the digest was `SHA-1`. Also https://tomcat.apache.org/tomcat-11.0-doc/realm-howto.html#Digested_Passwords says: > When the authenticate() method of the Realm is called, the (cleartext) > password specified by the user is itself digested by the same algorithm, and > the result is compared with the value returned by the Realm. "the same algorithm" confused me, because it's NOT SHA-1, but the one I specified in <CredentialHandler> Sure - MD5 is not that good for some scenarios, but just enough (with salt and ic) for less critical ones. TL;DR - `{SHA}<base64 of SHA-1 digest of cleartext password>` will never work if you don't have `SHA-1` specified in `<CredentialHandler>` -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
