On Feb 6, 2009, at 8:15 AM, BUSCH Steffen wrote:
> Hi all,
>
> I have a small Issue while trying to prepare the upgrade from Resin
> 2.1.14 to Resin 3.1 Snapshot as of 19th December with the Digest
> Password in Resin XmlAuthenticator.
2.1.14 had an incorrect implementation of base64 encoding.
Is it possible to regenerate the passwords using the correct
encoding? There is a backward compatibility flag, but it would be
much better to use the correct encoding.
-- Scott
>
>
>
> I used to have the following configuration in Resin 2.1.14
>
> <authenticator>
> <class-name>com.caucho.http.security.XmlAuthenticator</class-name>
> <init-param password-digest='MD5-base64'/>
> <init-param path='/home/stbu/passwords.xml' />
> </authenticator>
>
>
> The passwords in the referenced file passwords.xml are for example
> like
> this:
>
> <authenticator>
> <user name='myuser' password='cXSMXbxTmOz7Hv4lcVvrC3' role='resin' />
> </authenticator>
>
>
> In 3.1 I have configured it as follows:
>
> <authenticator type="com.caucho.server.security.XmlAuthenticator">
> <init>
> <password-digest>MD5-base64</password-digest>
> <password-digest-realm>none</password-digest-realm>
> <path>/home/stbu/passwords.xml</path>
> </init>
> </authenticator>
>
> => I knew that the default realm is "resin", so I've set it explicitly
> to "none" so that I could reuse my old passwords.
> But trying to login with the Username and Passwords are now rejected.
>
>
> The password used for 2.1.14 have been generated with this utility
> class:
>
> <CODE>
> package com.example;
>
> import com.caucho.http.security.PasswordDigest;
> import javax.servlet.*;
>
> public class Digest {
> public static void main(String args[]) throws
> ServletException {
> PasswordDigest digest = new PasswordDigest();
> digest.setAlgorithm("MD5");
> digest.setFormat("base64");
>
> System.out.println("Preparing Password '" + args[1] +
> "'
> for User '" + args[0] + "'");
> String password = digest.getPasswordDigest(args[0],
> args[1]);
> System.out.println("Digest Password: '" +password +
> "'");
> }
> }
> </CODE>
>
> java com.example.Digest myuser mypassword
> Preparing Password 'mypassword' for User 'myuser'
> Digest Password: 'cXSMXbxTmOz7Hv4lcVvrC3'
>
>
> In order to investigate why the login is rejected, I extended the
> utility class to allow the specification of the realm and used the 3.1
> Jars of Resin to generate the password for a user and compare them
>
> <CODE>
> package com.example;
>
> import com.caucho.http.security.PasswordDigest;
> import javax.servlet.*;
>
> public class Digest31 {
> public static void main(String args[]) throws
> ServletException {
> PasswordDigest digest = new PasswordDigest();
> digest.setAlgorithm("MD5");
> digest.setFormat("base64");
> digest.setRealm(args[2]);
>
> System.out.println("Preparing Password '" + args[1] +
> "'
> for User '" + args[0] + "'" + " with realm '" + args[2] + "'");
> String password = digest.getPasswordDigest(args[0],
> args[1]);
> System.out.println("Digest Password: '" +password +
> "'");
> }
> }
> </CODE>
>
> java com.example.Digest31 myuser mypassword none
> Preparing Password 'mypassword' for User 'myuser' with realm 'none'
> Digest Password: 'cXSMXbxTmOz7Hv4lcVvrtw=='
>
> BTW: The same result is achieved when using the "Calculate Digest" on
> the Login Page of /resin-admin.
>
>
> The passwords look similar, but they are actually not the same - so
> the
> rejection is clear.
> 2.1: 'cXSMXbxTmOz7Hv4lcVvrC3'
> 3.1: 'cXSMXbxTmOz7Hv4lcVvrtw=='
>
>
>
> Has anybody else got such problems and figured out how to solve it?
> I don't know how I have to set the init values for the
> XmlAuthenticator
> in order to get the old passwords working.
>
>
> Thanks in advance
> Steffen
>
>
>
>
> _______________________________________________
> resin-interest mailing list
> [email protected]
> http://maillist.caucho.com/mailman/listinfo/resin-interest
_______________________________________________
resin-interest mailing list
[email protected]
http://maillist.caucho.com/mailman/listinfo/resin-interest
