Hi all,
 
I have a small Issue while trying to prepare the upgrade from Resin
2.1.14 to Resin 3.1 Snapshot as of 19th December with the Digest
Password in Resin XmlAuthenticator.
 
 
I used to have the following configuration in Resin 2.1.14
 
<authenticator>
  <class-name>com.caucho.http.security.XmlAuthenticator</class-name>
  <init-param password-digest='MD5-base64'/>
  <init-param path='/home/stbu/passwords.xml' />
</authenticator>

 
The passwords in the referenced file passwords.xml are for example like
this:
 
<authenticator>
  <user name='myuser' password='cXSMXbxTmOz7Hv4lcVvrC3' role='resin' />
</authenticator>

 
In 3.1 I have configured it as follows:
 
<authenticator type="com.caucho.server.security.XmlAuthenticator">
  <init>
    <password-digest>MD5-base64</password-digest>
    <password-digest-realm>none</password-digest-realm>
    <path>/home/stbu/passwords.xml</path>
  </init>
</authenticator>
 
=> I knew that the default realm is "resin", so I've set it explicitly
to "none" so that I could reuse my old passwords.
But trying to login with the Username and Passwords are now rejected. 
 
 
The password used for 2.1.14 have been generated with this utility
class:
 
<CODE>
package com.example;
 
import com.caucho.http.security.PasswordDigest;
import javax.servlet.*;
 
public class Digest {
        public static void main(String args[]) throws ServletException {
                PasswordDigest digest = new PasswordDigest();
                digest.setAlgorithm("MD5");
                digest.setFormat("base64");
 
                System.out.println("Preparing Password '" + args[1] + "'
for User '" + args[0] + "'");
                String password = digest.getPasswordDigest(args[0],
args[1]);
                System.out.println("Digest Password: '" +password +
"'");
                }
         }
</CODE>

java com.example.Digest myuser mypassword
Preparing Password 'mypassword' for User 'myuser'
Digest Password: 'cXSMXbxTmOz7Hv4lcVvrC3'

 
In order to investigate why the login is rejected, I extended the
utility class to allow the specification of the realm and used the 3.1
Jars of Resin to generate the password for a user and compare them
 
<CODE>
package com.example;
 
import com.caucho.http.security.PasswordDigest;
import javax.servlet.*;
 
public class Digest31 {
        public static void main(String args[]) throws ServletException {
                PasswordDigest digest = new PasswordDigest();
                digest.setAlgorithm("MD5");
                digest.setFormat("base64");
                digest.setRealm(args[2]);
 
                System.out.println("Preparing Password '" + args[1] + "'
for User '" + args[0] + "'" + " with realm '" + args[2] + "'");
                String password = digest.getPasswordDigest(args[0],
args[1]);
                System.out.println("Digest Password: '" +password +
"'");
                }
         }
</CODE>

java com.example.Digest31 myuser mypassword none
Preparing Password 'mypassword' for User 'myuser' with realm 'none'
Digest Password: 'cXSMXbxTmOz7Hv4lcVvrtw=='

BTW: The same result is achieved when using the "Calculate Digest" on
the Login Page of /resin-admin.
 
 
The passwords look similar, but they are actually not the same - so the
rejection is clear. 
2.1: 'cXSMXbxTmOz7Hv4lcVvrC3'
3.1: 'cXSMXbxTmOz7Hv4lcVvrtw=='
 
 
 
Has anybody else got such problems and figured out how to solve it? 
I don't know how I have to set the init values for the XmlAuthenticator
in order to get the old passwords working. 
 
 
Thanks in advance
Steffen
 



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to