> 
> On Feb 6, 2009, at 8:15 AM, BUSCH Steffen wrote:
> 
> > Hi all,
> >
> > I have a small Issue while trying to prepare the upgrade from Resin
> > 2.1.14 to Resin 3.1 Snapshot as of 19th December with the Digest
> > Password in Resin XmlAuthenticator.
> 
> 2.1.14 had an incorrect implementation of base64 encoding.
> 
> Is it possible to regenerate the passwords using the correct  
> encoding?  There is a backward compatibility flag, but it would be  
> much better to use the correct encoding.
> 
> -- Scott

Thanks Scott, I think I'm aware of 80 % of the passwords and can
regenerate them. 
As I'm having several external passwords files with the old base64
encoded passwords for different web-apps, it would be great if you could
advise how to set the backward compatibility flag for those web-apps
where it would be difficult for me to regenerate the passwords.

Thanks,
Steffen


> >
> >
> >
> > I used to have the following configuration in Resin 2.1.14
> >
> > <authenticator>
> >  <class-name>com.caucho.http.security.XmlAuthenticator</class-name>
> >  <init-param password-digest='MD5-base64'/>
> >  <init-param path='/home/stbu/passwords.xml' />
> > </authenticator>
> >
> >
> > The passwords in the referenced file passwords.xml are for example  
> > like
> > this:
> >
> > <authenticator>
> >  <user name='myuser' password='cXSMXbxTmOz7Hv4lcVvrC3' 
> role='resin' />
> > </authenticator>
> >
> >
> > In 3.1 I have configured it as follows:
> >
> > <authenticator type="com.caucho.server.security.XmlAuthenticator">
> >  <init>
> >    <password-digest>MD5-base64</password-digest>
> >    <password-digest-realm>none</password-digest-realm>
> >    <path>/home/stbu/passwords.xml</path>
> >  </init>
> > </authenticator>
> >
> > => I knew that the default realm is "resin", so I've set it 
> explicitly
> > to "none" so that I could reuse my old passwords.
> > But trying to login with the Username and Passwords are now 
> rejected.
> >
> >
> > The password used for 2.1.14 have been generated with this utility
> > class:
> >
> > <CODE>
> > package com.example;
> >
> > import com.caucho.http.security.PasswordDigest;
> > import javax.servlet.*;
> >
> > public class Digest {
> >        public static void main(String args[]) throws  
> > ServletException {
> >                PasswordDigest digest = new PasswordDigest();
> >                digest.setAlgorithm("MD5");
> >                digest.setFormat("base64");
> >
> >                System.out.println("Preparing Password '" + 
> args[1] +  
> > "'
> > for User '" + args[0] + "'");
> >                String password = digest.getPasswordDigest(args[0],
> > args[1]);
> >                System.out.println("Digest Password: '" +password +
> > "'");
> >                }
> >         }
> > </CODE>
> >
> > java com.example.Digest myuser mypassword
> > Preparing Password 'mypassword' for User 'myuser'
> > Digest Password: 'cXSMXbxTmOz7Hv4lcVvrC3'
> >
> >
> > In order to investigate why the login is rejected, I extended the
> > utility class to allow the specification of the realm and 
> used the 3.1
> > Jars of Resin to generate the password for a user and compare them
> >
> > <CODE>
> > package com.example;
> >
> > import com.caucho.http.security.PasswordDigest;
> > import javax.servlet.*;
> >
> > public class Digest31 {
> >        public static void main(String args[]) throws  
> > ServletException {
> >                PasswordDigest digest = new PasswordDigest();
> >                digest.setAlgorithm("MD5");
> >                digest.setFormat("base64");
> >                digest.setRealm(args[2]);
> >
> >                System.out.println("Preparing Password '" + 
> args[1] +  
> > "'
> > for User '" + args[0] + "'" + " with realm '" + args[2] + "'");
> >                String password = digest.getPasswordDigest(args[0],
> > args[1]);
> >                System.out.println("Digest Password: '" +password +
> > "'");
> >                }
> >         }
> > </CODE>
> >
> > java com.example.Digest31 myuser mypassword none
> > Preparing Password 'mypassword' for User 'myuser' with realm 'none'
> > Digest Password: 'cXSMXbxTmOz7Hv4lcVvrtw=='
> >
> > BTW: The same result is achieved when using the "Calculate 
> Digest" on
> > the Login Page of /resin-admin.
> >
> >
> > The passwords look similar, but they are actually not the 
> same - so  
> > the
> > rejection is clear.
> > 2.1: 'cXSMXbxTmOz7Hv4lcVvrC3'
> > 3.1: 'cXSMXbxTmOz7Hv4lcVvrtw=='
> >
> >
> >
> > Has anybody else got such problems and figured out how to solve it?
> > I don't know how I have to set the init values for the  
> > XmlAuthenticator
> > in order to get the old passwords working.
> >
> >
> > Thanks in advance
> > Steffen
> >
> >
> >
> >
> > _______________________________________________
> > resin-interest mailing list
> > resin-interest@caucho.com
> > http://maillist.caucho.com/mailman/listinfo/resin-interest
> 
> 
> 
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
> 
> 



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to