Hi Jan In DigestAuthenticator.Digest.check, the code seems to be prepared for the credentials to be a pre-calculated MD5 hash. See the comment that begins, "Credentials are already a MD5 digest".
Also, in the distributed sample realm.properties, there is an entry for username "digest", with the comment "This entry is for digest auth. The credential is a MD5 hash of username:realm name:password". That is especially confusing, since an earlier comment in the same file says that thing about "must be in a recoverable format". All this gave me confidence to try keeping pre-calculated MD5 hashes in my equivalent of the realm password file, and so far it seems to be working... -- Guy On 11/06/2011 09:39 PM, Jan Bartel wrote: > Guy, > > With DIGEST authentication, the server has to calculate a digest using the > info supplied in the authentication request, so the stored password has to > be recoverable in order to be able to be used in the digest. > > Jan > > On 5 November 2011 05:29, Guy Hillyer <[email protected]> wrote: >> The javadoc for HashLoginService contains this caveat: >> >> "If DIGEST Authentication is used, the password must be in a >> recoverable format, either plain text or OBF." >> >> However this doesn't appear to be true, as using an MD5 hash seems to >> work just fine. >> >> The same note appears in javadoc for PropertyUserStore, and again in >> a comment in the distributed example realm.properties file. >> >> I'll file a doc bug report unless someone tells me I'm off in the weeds >> (always a possibility). >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
