https://bz.apache.org/bugzilla/show_bug.cgi?id=69852
Mark Thomas <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX |--- --- Comment #8 from Mark Thomas <[email protected]> --- Re-opening as we have at least one bug here. (In reply to Grzegorz Grzybek from comment #7) > So here, Tomcat code, ApacheDS code and this IETF drafts are consistent, but > Tomcat documentation is not. That is an easy fix. Correct the documentation. Patch/PR welcome. > While when checking $-separated password (salt $ ic $ digest), > org.apache.catalina.realm.MessageDigestCredentialHandler#mutate first > digests the salt and then the password... That appears to be contrary to RFC 3112. Fixing that would be a breaking change. Not sure how many users would be affected. I think we'd need to make the order configurable. I'd suggest it defaulted to the RFC order. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
