A good place to leanr how to use digest authentication
Hi, Im trying to use Digest authentication with an AXIS web service hosted on Tomcat 5.0.28. The problem is in setting up Digest authentication for Tomcat. I did as was written in HOW-TO setting up a JDBC realm, I tried to connect the URL configured on the secure realm from IE 6.0. Presto whatever I tried I always got 401. Once i changed authentication back to basic, things started working, when I change them back to Digest i start getting 401. Is there some place where I could get exact description of setting up Digest authentication in Tomcat. Please help Regards, Chandan
Re: A good place to leanr how to use digest authentication
http://www.devx.com/DevX/Article/21911 Chandan Gupta [EMAIL PROTECTED] wrote: Hi, Im trying to use Digest authentication with an AXIS web service hosted on Tomcat 5.0.28. The problem is in setting up Digest authentication for Tomcat. I did as was written in HOW-TO setting up a JDBC realm, I tried to connect the URL configured on the secure realm from IE 6.0. Presto whatever I tried I always got 401. Once i changed authentication back to basic, things started working, when I change them back to Digest i start getting 401. Is there some place where I could get exact description of setting up Digest authentication in Tomcat. Please help Regards, Chandan - Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.
Re: A good place to leanr how to use digest authentication
On 9/15/05, bachoo jahnkar [EMAIL PROTECTED] wrote: Im trying to use Digest authentication with an AXIS web service hosted on ... connect the URL configured on the secure realm from IE 6.0. Presto whatever I tried I always got 401. Once i changed authentication back to basic, things started working, when I change them back to Digest i start getting 401. I think this is an old problem with IE and digest auth: http://www.eweek.com/article2/0,1895,1500432,00.asp Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
So at 3:00 AM I decided to read the Basic and Digest Access
Authentication spec (RFC 2617), and it says that MD5 is the default hash
algorithm. I had previously seen that Tomcat wasn't sending any response
headers explicitly specifying the hash algorithm, even though I had
specified SHA in the realm/ element in Server.xml. So I changed my
digest algorithm for the realm to MD5, and DIGEST authentication is now
working.
I'd like to make it work with SHA-1. I've looked all through the Tomcat
documentation, and I can't find a configuration parameter to set the
www-authenticate response header to indicate SHA-1 algorithm for the
digest. I see the API that supports this in
org.apache.catalina.authenticator.DigestAuthenticator (
setAuthenticateHeader() ), but I can't find a configuration parameter
that will determine the value for algorithm passed to this method.
Does anyone know how I can set this?*
*
-Mark
Mark Leone wrote:
I found a silly classpath error that fixed the problem using
RealmBase. I didn't realize that my system still had environment
variable %catalina_home% pointing to an old tomcat 4.1.24 directory.
So when I opened a command window to generate digest values I was
executing RealmBase in tomcat 4.1.24. But guess what. When I digest
the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24
and Tomcat 5.5.8 I get different digest values. And DIGEST
authentication still doesn't work, in either case. Something very
strange is going on here. :(
-Mark
Mark Leone wrote:
Okay, I was using 5.5.7. So I just downloaded the source and built
5.5.8, and things got worse. Digest authentication is not working for
me. I believe I've set everything up correctly. Using an HTTP monitor
I see a 401 response coming back from Tomcat with a www-authenticate
header whose parameters specify digest authentication and identify
the realm as JDBCRealm. And I have a digested password that I created
by digesting {username}:JDBCRealm:{password} (including the colons-
is that correct?), as directed in the how-to documentation. But when
I enter that username and password, the authentication fails. Now I
used SHA-1 to digest the password, and my realm/ element in
Server.xml identifies SHA as the digest algorithm for digesting
passwords. Does this mean that the DIGEST authentication will also be
done using SHA-1? Or do I need to specify that somewhere? Am I
missing something else?
I said it got worse with 5.5.8 because now I can't even get RealmBase
to generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar
org.apache.catalina.realm.RealmBase -a SHA
{username}:JDBCRealm:{password}
and I get:
Exception in thread main java.lang.NoClassDefFoundError:
org/apache/commons/lo
gging/LogFactory at
org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails to
find LogFactory. I don't see an org\apache\commons path in any of the
class directories generated during the build. Do I have a defective
build? Was I supposed to download something else?
-Mark
Mark Thomas wrote:
Yes it does. I tested this extensively with both IE and Firefox. Any
combination of the following is OK:
Auth:BASIC, FORM, DIGEST
Realm:Memory, UserDatabase, JDBC, DataSource
Passwords:Cleartext, digested
There is a complication when using digested passwords with the
digest realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
For more info see:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Mark Leone wrote:
I'm trying to use DIGEST authentication with Tomcat, and it doesn't
seem to work. I found some articles with Google about IE
implementing DIGEST authentication in a way that only worked with
MS servers, and I assume that hasn't been corrected. But I'm also
using Firefox with the same results as IE. I saw an article about a
workaround in Apache server to make DIGEST authentication work with
IE, but I didn't see anything about Tomcat. Anyone know of any way
to get DIGEST authentication in Tomcat to work with ANY browser?
I should mention that I'm also using digested passwords in a JDBC
Realm (implemented with mySQL), and I followed the how-to
instructions for creating digested passwords to work with DIGEST
authentication. And authentication with JDBCRealm works fine when I
use BASIC authentication.
For the record, I put the following in the Host element in Server.xml
Context path=/MyApp docBase=MyApp
Valve
className=org.apache.catalina.authenticator.DigestAuthenticator
disableProxyCaching=false /
/Context
I put the following in Server.xml's Engine element
Realm className=org.apache.catalina.realm.JDBCRealm debug=99
driverName=com.mysql.jdbc.Driver
connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users
userNameCol=user_name userCredCol=user_pass
userRoleTable=user_roles roleNameCol=role_name digest=SHA/
And I put
RE: DIGEST authentication; Does it work??
The docs say this:
When a standard realm authenticates by retrieving the stored password
and comparing it with the value presented by the user, you can select
digested passwords by specifying the *digest* attribute on your Realm
element. The value for this attribute must be one of the digest
algorithms supported by the java.security.MessageDigest class (SHA, MD2,
or MD5). When you select this option, the contents of the password that
is stored in the Realm must be the cleartext version of the password, as
digested by the specified algorithm.
I have starred the word digest. If you look at the source for the page
you will notice the word digest is in code tags, and I think they are
trying to indicate this is a key word you can use in the realm tag.
Let us know if this works for you.
|)ave
-Original Message-
From: Mark Leone [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 23, 2005 1:53 AM
To: Tomcat Users List
Subject: Re: DIGEST authentication; Does it work??
So at 3:00 AM I decided to read the Basic and Digest Access
Authentication spec (RFC 2617), and it says that MD5 is the default hash
algorithm. I had previously seen that Tomcat wasn't sending any response
headers explicitly specifying the hash algorithm, even though I had
specified SHA in the realm/ element in Server.xml. So I changed my
digest algorithm for the realm to MD5, and DIGEST authentication is now
working.
I'd like to make it work with SHA-1. I've looked all through the Tomcat
documentation, and I can't find a configuration parameter to set the
www-authenticate response header to indicate SHA-1 algorithm for the
digest. I see the API that supports this in
org.apache.catalina.authenticator.DigestAuthenticator (
setAuthenticateHeader() ), but I can't find a configuration parameter
that will determine the value for algorithm passed to this method.
Does anyone know how I can set this?*
*
-Mark
Mark Leone wrote:
I found a silly classpath error that fixed the problem using
RealmBase. I didn't realize that my system still had environment
variable %catalina_home% pointing to an old tomcat 4.1.24 directory.
So when I opened a command window to generate digest values I was
executing RealmBase in tomcat 4.1.24. But guess what. When I digest
the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24
and Tomcat 5.5.8 I get different digest values. And DIGEST
authentication still doesn't work, in either case. Something very
strange is going on here. :(
-Mark
Mark Leone wrote:
Okay, I was using 5.5.7. So I just downloaded the source and built
5.5.8, and things got worse. Digest authentication is not working for
me. I believe I've set everything up correctly. Using an HTTP monitor
I see a 401 response coming back from Tomcat with a www-authenticate
header whose parameters specify digest authentication and identify
the realm as JDBCRealm. And I have a digested password that I created
by digesting {username}:JDBCRealm:{password} (including the colons-
is that correct?), as directed in the how-to documentation. But when
I enter that username and password, the authentication fails. Now I
used SHA-1 to digest the password, and my realm/ element in
Server.xml identifies SHA as the digest algorithm for digesting
passwords. Does this mean that the DIGEST authentication will also be
done using SHA-1? Or do I need to specify that somewhere? Am I
missing something else?
I said it got worse with 5.5.8 because now I can't even get RealmBase
to generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar
org.apache.catalina.realm.RealmBase -a SHA
{username}:JDBCRealm:{password}
and I get:
Exception in thread main java.lang.NoClassDefFoundError:
org/apache/commons/lo
gging/LogFactory at
org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails to
find LogFactory. I don't see an org\apache\commons path in any of the
class directories generated during the build. Do I have a defective
build? Was I supposed to download something else?
-Mark
Mark Thomas wrote:
Yes it does. I tested this extensively with both IE and Firefox. Any
combination of the following is OK:
Auth:BASIC, FORM, DIGEST
Realm:Memory, UserDatabase, JDBC, DataSource
Passwords:Cleartext, digested
There is a complication when using digested passwords with the
digest realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
For more info see:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Mark Leone wrote:
I'm trying to use DIGEST authentication with Tomcat, and it doesn't
seem to work. I found some articles with Google about IE
implementing DIGEST authentication in a way that only worked with
MS servers, and I assume that hasn't been corrected. But I'm also
using Firefox with the same results as IE. I saw an article about
Re: DIGEST authentication; Does it work??
Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader() But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone know how I
Re: DIGEST authentication; Does it work??
Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this -- org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader()-- But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone
Re: DIGEST authentication; Does it work??
When all else fails, look at the source code (Dave, thanks for the suggestion). There is no support for SHA-1 in Tomcat's implementation of DigestAuthenticator. It should be easy enough to implement, provided the core JDK supports the creation of an instance of java.security.MessageDigest that is implemented with SHA-1. I'll give this a try tomorrow- no midnight java tonight. -Mark Mark Leone wrote: Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader() But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through
Re: DIGEST authentication; Does it work??
Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth: BASIC, FORM, DIGEST Realm: Memory, UserDatabase, JDBC, DataSource Passwords: Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
Okay, I was using 5.5.7. So I just downloaded the source and built
5.5.8, and things got worse. Digest authentication is not working for
me. I believe I've set everything up correctly. Using an HTTP monitor I
see a 401 response coming back from Tomcat with a www-authenticate
header whose parameters specify digest authentication and identify the
realm as JDBCRealm. And I have a digested password that I created by
digesting {username}:JDBCRealm:{password} (including the colons- is that
correct?), as directed in the how-to documentation. But when I enter
that username and password, the authentication fails. Now I used SHA-1
to digest the password, and my realm/ element in Server.xml identifies
SHA as the digest algorithm for digesting passwords. Does this mean that
the DIGEST authentication will also be done using SHA-1? Or do I need to
specify that somewhere? Am I missing something else?
I said it got worse with 5.5.8 because now I can't even get RealmBase to
generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar
org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password}
and I get:
Exception in thread main java.lang.NoClassDefFoundError:
org/apache/commons/lo
gging/LogFactory at
org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails to
find LogFactory. I don't see an org\apache\commons path in any of the
class directories generated during the build. Do I have a defective
build? Was I supposed to download something else?
-Mark
Mark Thomas wrote:
Yes it does. I tested this extensively with both IE and Firefox. Any
combination of the following is OK:
Auth:BASIC, FORM, DIGEST
Realm:Memory, UserDatabase, JDBC, DataSource
Passwords:Cleartext, digested
There is a complication when using digested passwords with the digest
realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
For more info see:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Mark Leone wrote:
I'm trying to use DIGEST authentication with Tomcat, and it doesn't
seem to work. I found some articles with Google about IE implementing
DIGEST authentication in a way that only worked with MS servers, and
I assume that hasn't been corrected. But I'm also using Firefox with
the same results as IE. I saw an article about a workaround in Apache
server to make DIGEST authentication work with IE, but I didn't see
anything about Tomcat. Anyone know of any way to get DIGEST
authentication in Tomcat to work with ANY browser?
I should mention that I'm also using digested passwords in a JDBC
Realm (implemented with mySQL), and I followed the how-to
instructions for creating digested passwords to work with DIGEST
authentication. And authentication with JDBCRealm works fine when I
use BASIC authentication.
For the record, I put the following in the Host element in Server.xml
Context path=/MyApp docBase=MyApp
Valve
className=org.apache.catalina.authenticator.DigestAuthenticator
disableProxyCaching=false /
/Context
I put the following in Server.xml's Engine element
Realm className=org.apache.catalina.realm.JDBCRealm debug=99
driverName=com.mysql.jdbc.Driver
connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users
userNameCol=user_name userCredCol=user_pass
userRoleTable=user_roles roleNameCol=role_name digest=SHA/
And I put the following in my app's web.xml
security-constraint.../ (elided)
login-config
auth-methodDIGEST/auth-method
realm-nameJDBCRealm/realm-name
/login-config
security-role.../ (elided)
And when I created the digested password to store in my JDBCRealm
database, I digested: (username) : JDBCRealm : (password). As you
can see, I specified SHA as the digest algorithm in Server.xml's
realm element, and I used SHA to create the digested password that
I stored in the database. I assume that the server will prompt the
browser to use SHA also when it sends the challenge header requesting
DIGEST authentication?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
I found a silly classpath error that fixed the problem using RealmBase.
I didn't realize that my system still had environment variable
%catalina_home% pointing to an old tomcat 4.1.24 directory. So when I
opened a command window to generate digest values I was executing
RealmBase in tomcat 4.1.24. But guess what. When I digest the same info
with the same algorithm specifier (SHA) in Tomcat 4.1.24 and Tomcat
5.5.8 I get different digest values. And DIGEST authentication still
doesn't work, in either case. Something very strange is going on here. :(
-Mark
Mark Leone wrote:
Okay, I was using 5.5.7. So I just downloaded the source and built
5.5.8, and things got worse. Digest authentication is not working for
me. I believe I've set everything up correctly. Using an HTTP monitor
I see a 401 response coming back from Tomcat with a www-authenticate
header whose parameters specify digest authentication and identify the
realm as JDBCRealm. And I have a digested password that I created by
digesting {username}:JDBCRealm:{password} (including the colons- is
that correct?), as directed in the how-to documentation. But when I
enter that username and password, the authentication fails. Now I used
SHA-1 to digest the password, and my realm/ element in Server.xml
identifies SHA as the digest algorithm for digesting passwords. Does
this mean that the DIGEST authentication will also be done using
SHA-1? Or do I need to specify that somewhere? Am I missing something
else?
I said it got worse with 5.5.8 because now I can't even get RealmBase
to generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar
org.apache.catalina.realm.RealmBase -a SHA
{username}:JDBCRealm:{password}
and I get:
Exception in thread main java.lang.NoClassDefFoundError:
org/apache/commons/lo
gging/LogFactory at
org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails to
find LogFactory. I don't see an org\apache\commons path in any of the
class directories generated during the build. Do I have a defective
build? Was I supposed to download something else?
-Mark
Mark Thomas wrote:
Yes it does. I tested this extensively with both IE and Firefox. Any
combination of the following is OK:
Auth:BASIC, FORM, DIGEST
Realm:Memory, UserDatabase, JDBC, DataSource
Passwords:Cleartext, digested
There is a complication when using digested passwords with the digest
realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
For more info see:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Mark Leone wrote:
I'm trying to use DIGEST authentication with Tomcat, and it doesn't
seem to work. I found some articles with Google about IE
implementing DIGEST authentication in a way that only worked with MS
servers, and I assume that hasn't been corrected. But I'm also using
Firefox with the same results as IE. I saw an article about a
workaround in Apache server to make DIGEST authentication work with
IE, but I didn't see anything about Tomcat. Anyone know of any way
to get DIGEST authentication in Tomcat to work with ANY browser?
I should mention that I'm also using digested passwords in a JDBC
Realm (implemented with mySQL), and I followed the how-to
instructions for creating digested passwords to work with DIGEST
authentication. And authentication with JDBCRealm works fine when I
use BASIC authentication.
For the record, I put the following in the Host element in Server.xml
Context path=/MyApp docBase=MyApp
Valve
className=org.apache.catalina.authenticator.DigestAuthenticator
disableProxyCaching=false /
/Context
I put the following in Server.xml's Engine element
Realm className=org.apache.catalina.realm.JDBCRealm debug=99
driverName=com.mysql.jdbc.Driver
connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users
userNameCol=user_name userCredCol=user_pass
userRoleTable=user_roles roleNameCol=role_name digest=SHA/
And I put the following in my app's web.xml
security-constraint.../ (elided)
login-config
auth-methodDIGEST/auth-method
realm-nameJDBCRealm/realm-name
/login-config
security-role.../ (elided)
And when I created the digested password to store in my JDBCRealm
database, I digested: (username) : JDBCRealm : (password). As you
can see, I specified SHA as the digest algorithm in Server.xml's
realm element, and I used SHA to create the digested password that
I stored in the database. I assume that the server will prompt the
browser to use SHA also when it sends the challenge header
requesting DIGEST authentication?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL
DIGEST authentication; Does it work??
I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_Realm userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DataSourceRealm + DIGEST authentication
Hi all, Has anyone created a DataSourceRealm that works with DIGEST authentication? I'm planning to make one, but only if I'm not reinventing the wheel. If anyone's interested, here's what I have so far: http://sylow.no-ip.com/pub/apache/jakarta/tomcat/DigestableDataSourceRealm.java Any comments welcome. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DataSourceRealm + DIGEST authentication
Hi all, Has anyone created a DataSourceRealm that works with DIGEST authentication? I'm planning to make one, but only if I'm not reinventing the wheel. A relative bugzilla issue: http://issues.apache.org/bugzilla/show_bug.cgi?id=19767 Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi, Thank you for posting this fine explanation and solution so that others may learn. It always makes my day when people figure out good solutions! Now if the Red Sox win, this will truly be a great day! ;) But a good weekend to all, regardless... Yoav Shapira Millennium Research Informatics -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: Friday, October 08, 2004 1:14 AM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Thanks for the information. - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. This is cleared, since we are using IE 6. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... So here's my problem. I looked further into this, and found a solution, which I would like to share. First, if you take a look at the DIGEST authentication spec at http://www.faqs.org/rfcs/rfc2617.html You will see in section 3.2.2.2 A1, that for MD5, the hashed result depends on username, realm and password. Which means, if I couple the usernames with the realm, it is possible to hash the passwords stored in the server. Next, I found where the A1 is being calculated in Tomcat: RealmBase#getDigest(String username, String realmName) If I override this method to return the hashed password, the digested password and DIGEST authentication should work together. In order to test my theory, I have created a Realm that does the above, extending MemoryRealm: http://sylow.no- ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java I set it in my Context using: Context path=/shinobu docBase=shinobu workDir=work\Catalina\localhost\shinobu Realm className=org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm digest=MD5 pathname=conf/shinobu-users.xml / /Context Inside my shinobu-users.xml: tomcat-users role rolename=shinobu.admin/ user username=md5a1_admin password=57348f05c8378963c2d52ec456f6b6fd roles=shinobu.admin/ /tomcat-users The password is md5a1_admin:Shinobu's domain:shinobu_admin digested with MD5. I set authentication to DIGEST in my web.xml: web-app security-constraint web-resource-collection url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameshinobu.admin/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameShinobu's domain/realm-name /login-config security-role role-nameshinobu.admin/role-name /security-role /web-app I access http://localhost:8080/shinobu/admin/ and wholla! It works! Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using Digested Passwords and DIGEST Authentication at the same time.
Hi all, I'm looking for a way to use Digested Passwords as in http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html and DIGEST Authentication at the same time. I have found relative questions/threads in the list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg97135.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg90244.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg88409.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79660.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79525.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg72288.html But none of them has a solution. Any idea's before I start hacking Tomcat? TYI Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Have you tried it based on the howto? -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: Using Digested Passwords and DIGEST Authentication at the same time. Hi all, I'm looking for a way to use Digested Passwords as in http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html and DIGEST Authentication at the same time. I have found relative questions/threads in the list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg97135.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg90244.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg88409.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79660.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79525.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg72288.html But none of them has a solution. Any idea's before I start hacking Tomcat? TYI Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41656842305042134720186!
Re: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:416573fa311026568999013!
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
It's interesting you know. I read a book called Professional Apache Tomcat published by Worx. In Chapter 16 Tomcat Security, the author says - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... -Original Message- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 1:17 PM To: 'Tomcat Users List' Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e time. I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41657a1d315521660274146!
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
As I am knew to Tomcat I will ask you to excuse my ignorance. I have just realized (and I am asking those with the necessary experience to verify this) that when you talk about DIGEST authentication there are really two separate and distinct forms of it: 1. Indicate to the BROWSER to digest the password before it is passed over the network. Tomcat would then extract the PLAIN TEXT password from the database, digest it using the same algorithm and copare it to the digested value that was just received from the browser. 2. Indicate to the REALM that passwords in the database are stored as hash values of the user password. Tomcat will receive the password from the browser in PLAIN TEXT - the realm will hash it and compare it to the retrieved hashed password from the database. As mentioned below, combining these two mechanisms won't work. This happens to be fine for me - we use SSL for all data transfer but we were storing passwords in plain text in the database. We'd like to store hashed values. It is now my understanding that I can continue to use BASIC authentication but simply configure the realm to expect hashed passwords in the database. That really clarifies a lot (assuming I haven't bungled it). I kept finding opposing views concerning digestion of passwords and I couldn't find any absolutes about it. What a relief to finally get some insight! Any clarification or correction of this information would be greatly appreciated before I commit it to memory. Thanks!!! -Original Message- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 07, 2004 1:17 PM To: 'Tomcat Users List' Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e time. I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:416573fa311026568999013! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi Phillip, Thanks for the information. - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. This is cleared, since we are using IE 6. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... So here's my problem. I looked further into this, and found a solution, which I would like to share. First, if you take a look at the DIGEST authentication spec at http://www.faqs.org/rfcs/rfc2617.html You will see in section 3.2.2.2 A1, that for MD5, the hashed result depends on username, realm and password. Which means, if I couple the usernames with the realm, it is possible to hash the passwords stored in the server. Next, I found where the A1 is being calculated in Tomcat: RealmBase#getDigest(String username, String realmName) If I override this method to return the hashed password, the digested password and DIGEST authentication should work together. In order to test my theory, I have created a Realm that does the above, extending MemoryRealm: http://sylow.no-ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java I set it in my Context using: Context path=/shinobu docBase=shinobu workDir=work\Catalina\localhost\shinobu Realm className=org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm digest=MD5 pathname=conf/shinobu-users.xml / /Context Inside my shinobu-users.xml: tomcat-users role rolename=shinobu.admin/ user username=md5a1_admin password=57348f05c8378963c2d52ec456f6b6fd roles=shinobu.admin/ /tomcat-users The password is md5a1_admin:Shinobu's domain:shinobu_admin digested with MD5. I set authentication to DIGEST in my web.xml: web-app security-constraint web-resource-collection url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameshinobu.admin/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameShinobu's domain/realm-name /login-config security-role role-nameshinobu.admin/role-name /security-role /web-app I access http://localhost:8080/shinobu/admin/ and wholla! It works! Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: DIGEST Authentication in Tomcat 4 vs Tomcat 5
Hi, AFAIK, Digested passwords work just fine in both the Memory and JDBC Realms. I haven't tried it with a JNDI, LDAP, or JAAS Realm. The doc page for Realms is at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#Digeste d%20Passwords. This is for Tomcat 5, I haven't done tested it for 4.x (you should upgrade to 5 anyways if possible for you). Yoav Shapira Millennium Research Informatics -Original Message- From: Anderson, M. Paul [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 6:30 PM To: 'Tomcat Users List' Subject: DIGEST Authentication in Tomcat 4 vs Tomcat 5 Can anyone point me to information concerning whether or not DIGEST authentication works in Tomcat 4 and/or Tomcat 5? I have only found conflicting information on the web as well as in several books. Is there a tutorial out there somewhere that would help me set this up? I have seen comments such as Container managed digest authentication is broken in almost all of Tomcat 4.1's realm implementations. Is this true? Have they been fixed in 5? Thanks a million! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: DIGEST Authentication in Tomcat 4 vs Tomcat 5
There have been a few issues (see the change log at http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/catalina/src/share/org/apac he/catalina/authenticator/DigestAuthenticator.java for details) but these have been fixed in both TC4 and TC5. The latest TC4 release (4.1.30) does not contain these fixes - hopefully there will be a 4.1.31 release soon. However, you should update to TC5 if you can as it is now the main focus of development effort. Mark -Original Message- From: Anderson, M. Paul [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 11:30 PM To: 'Tomcat Users List' Subject: DIGEST Authentication in Tomcat 4 vs Tomcat 5 Can anyone point me to information concerning whether or not DIGEST authentication works in Tomcat 4 and/or Tomcat 5? I have only found conflicting information on the web as well as in several books. Is there a tutorial out there somewhere that would help me set this up? I have seen comments such as Container managed digest authentication is broken in almost all of Tomcat 4.1's realm implementations. Is this true? Have they been fixed in 5? Thanks a million! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DIGEST Authentication in Tomcat 4 vs Tomcat 5
Can anyone point me to information concerning whether or not DIGEST authentication works in Tomcat 4 and/or Tomcat 5? I have only found conflicting information on the web as well as in several books. Is there a tutorial out there somewhere that would help me set this up? I have seen comments such as Container managed digest authentication is broken in almost all of Tomcat 4.1's realm implementations. Is this true? Have they been fixed in 5? Thanks a million! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DIGEST Authentication question
Hi guys. I'm having trouble setting up DIGEST authentication for single webapp in Tomcat 5.0.27. does anyone have done it successfully I'd appreciate some guidance in this area Alex
Re: Does tomcat5 support digest authentication?
There is only very minimal support for DIGEST authentication. So minimal that in practice I can't see how it could be of any use at this point in time. It is on the list to be improved, but no idea for when: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/status.html Original Message Message-ID: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 20:35:13 -0700 (PDT) From: jiesheng zhang [EMAIL PROTECTED] Subject:Does tomcat5 support digest authentication? To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii I think it supports digest authentication. However I can not make it works even in the simplest case. I have a basic tomcat 5 installation with one of my web application. I'd like to use digest authentication(I do not send password to server in clear text). The configuration is like this security-constraint web-resource-collection web-resource-nameThe Entire Web Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameTomcat Supported Realm/realm-name /login-config security-role description An example role defined in \conf/tomcat-users.xml\ /description role-nametomcat/role-name /security-role However, it does not work. I always get 403 (access is denied error). If I use BASIC authentication, everything works fine. I searched the mail list. It seemed other people also has this problem. However there is no any solution posted for it. Have anyone get digest authentication works?If anyone does, what extra step/caution should I takes? Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Does tomcat5 support digest authentication?
I think it supports digest authentication. However I can not make it works even in the simplest case. I have a basic tomcat 5 installation with one of my web application. I'd like to use digest authentication(I do not send password to server in clear text). The configuration is like this security-constraint web-resource-collection web-resource-nameThe Entire Web Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameTomcat Supported Realm/realm-name /login-config security-role description An example role defined in conf/tomcat-users.xml /description role-nametomcat/role-name /security-role However, it does not work. I always get 403 (access is denied error). If I use BASIC authentication, everything works fine. I searched the mail list. It seemed other people also has this problem. However there is no any solution posted for it. Have anyone get digest authentication works?If anyone does, what extra step/caution should I takes? Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DIGEST authentication
I can use Basic auth, and FORM-based auth,using the UserDatabaseRealm, with no problem. But when I try to use DIGEST, like this: login-config auth-methodDIGEST/auth-method realm-nameUserDatabase/realm-name ...etc Tomcat obviously recognizes the keyword, because I get prompted by a different type of screen from IE. But I can';t authenticate. I've also tried specifying both algorithms, md5 and sha, in the realm tag, but with no effect. Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase digest=sha / Does anybody know what I'm doing wrong? -Dave Naden - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DIGEST authentication!
Hi, I'm using Tomcat 4.1.18, Apache 1.3.27 and mod_jk as the connector. I want to implement DIGEST authentication on tomcat. I implemented already the BASIC authentication which is working fine. But if I want to change to DIGEST it doesn't work anymore. This is the contents of my web.xml security-constraint web-resource-collection web-resource-nametest/web-resource-name url-pattern/servlet/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodDIGEST/auth-method /login-config security-role role-nameadmin/role-name /security-role I also changed the passwords in tomcat-user.xml to their digest representations and added digest=MD5 to the realm in the server.xml. But it doesn't work. Any ideas? Regards, Uwe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
REPOST: Tomcat 4.1.18: Digest authentication not working?
Hi,
I am resposting this message as I did not get any answer/comment/advice.
Has anyone ever got Digest authentication working with Tomcat?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]]
Subject: Tomcat 4.1.18: Digest authentication not working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC authentication (default
configuration), after making appropriate user and role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string, but after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a home grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339, opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
[HTTP] C -- S (2 bytes)
[HTTP] C -- S (5 bytes)
0
[HTTP] C -- S (683 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
Authorization: Digest username=pankaj, realm=Tomcat Manager Application,
qop
=auth, algorithm=MD5, uri=/manager/html,
nonce=bf3c8fa05f1260f6a9d4299d3b
882339, nc=0001, cnonce=f7710dc1f6683517f0dd8dfd957a50bc,
opaque=0375882
3e3b14892bb4dc34ef834fa13, response=8d3c122778ae3d95564f61a2238c8f51
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
d13c9c9d094919b14030f3bff72edc6b, opaque=bd29cf774ee39e6a3cc1c396293be208
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:34 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (697 bytes)
2ad
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
0
=
Any help would be most appreciated.
/Pankaj Kumar
Home Page: http://www.pankaj-k.net
Web Log: http://www.pankaj-k.net/weblog
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
REPOST: Tomcat 4.1.18: Digest authentication not working?[RBS2003010600005391]
Ahoy there! This is an automated response, to let you know that we have received your query and will answer your email as soon as possible. We know you'd like to get back to playing our state-of-the-art online games. We'd therefore like to assure you that we are determined to keep our service at the level that you've come to expect from The River Belle Online Casino. Thank you for your patience and enjoy your day! Best wishes, Sebastian First Mate RIVER BELLE ONLINE CASINO RIVER BELLE CASINOS ONLINE RIVER BELLE ACES HIGH Enjoy Southern HospitalityFast Paced Casino Action www.riverbelle.com/a3099 www.aceshigh.com/a3181 24/7 toll-free support24/7 toll-free support USA:1 888 615 2383USA:1 877 566 0482 CANADA: 1 888 552 4196CANADA: 1 877 776 0549 UK: 0 800 783 4381UK: 0 800 169 8796 E-mail support: E-mail support [EMAIL PROTECTED][EMAIL PROTECTED] E.O.E. The River Belle Online Casino respects your online time and privacy. If you wish to be removed from our mailing list and not receive any promotional e-mails from us, please send an e-mail to [EMAIL PROTECTED] and type UNSUBSCRIBE in the subject bar. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: REPOST: Tomcat 4.1.18: Digest authentication not working?
When you switched to Digest mode did you convert the original clear text
passwords to the digest format you wish to use?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: REPOST: Tomcat 4.1.18: Digest authentication not working?
Hi,
I am resposting this message as I did not get any answer/comment/advice.
Has anyone ever got Digest authentication working with Tomcat?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]]
Subject: Tomcat 4.1.18: Digest authentication not working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC authentication (default
configuration), after making appropriate user and role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string, but after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a home grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339, opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
[HTTP] C -- S (2 bytes)
[HTTP] C -- S (5 bytes)
0
[HTTP] C -- S (683 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
Authorization: Digest username=pankaj, realm=Tomcat Manager Application,
qop
=auth, algorithm=MD5, uri=/manager/html,
nonce=bf3c8fa05f1260f6a9d4299d3b
882339, nc=0001, cnonce=f7710dc1f6683517f0dd8dfd957a50bc,
opaque=0375882
3e3b14892bb4dc34ef834fa13, response=8d3c122778ae3d95564f61a2238c8f51
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
d13c9c9d094919b14030f3bff72edc6b, opaque=bd29cf774ee39e6a3cc1c396293be208
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:34 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (697 bytes)
2ad
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
0
=
Any help would be most appreciated.
/Pankaj Kumar
Home Page: http://www.pankaj-k.net
Web Log: http://www.pankaj
RE: REPOST: Tomcat 4.1.18: Digest authentication not working?
I might be wrong.. but there is a difference between
using Digest for authentication and storing the
passwords as digest version in the user
tomcat-users.xml file.
The former is what Pankaj is tying to do.. this causes
the passwords to be transmitted as digests version of
themselves from the users browser to Tomcat. Tomcat
then un-digests them and calls the Realm call to do it
work.
In the latter, we set the digest attribute to sha or
md5 in the Realm directive in server.xml. This does
not affect how the passwords are transmitted from the
users browser to Tomcat. The Realm implementation
computes the digest of the password and compares it
with the digested version..
Am I on the right track here?
/s
--- PELOQUIN,JEFFREY (HP-Boise,ex1)
[EMAIL PROTECTED] wrote:
When you switched to Digest mode did you convert the
original clear text
passwords to the digest format you wish to use?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: REPOST: Tomcat 4.1.18: Digest
authentication not working?
Hi,
I am resposting this message as I did not get any
answer/comment/advice.
Has anyone ever got Digest authentication working
with Tomcat?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Subject: Tomcat 4.1.18: Digest authentication not
working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC
authentication (default
configuration), after making appropriate user and
role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown
below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my
browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string, but
after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a home
grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel,
application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager
Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339,
opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 -
Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color
:
white;background-color :
#0086b2;} BODY{font-family :
sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color :
#0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 -
/h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b
u/u/ppbdescription/b
uT
his request requires HTTP authentication
()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
[HTTP] C -- S (2 bytes)
[HTTP] C -- S (5 bytes)
0
[HTTP] C -- S (683 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel,
application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
Authorization: Digest username=pankaj,
realm=Tomcat Manager Application,
qop
=auth, algorithm=MD5, uri=/manager/html,
nonce=bf3c8fa05f1260f6a9d4299d3b
882339, nc=0001,
cnonce=f7710dc1f6683517f0dd8dfd957a50bc,
opaque=0375882
3e3b14892bb4dc34ef834fa13,
response=8d3c122778ae3d95564f61a2238c8f51
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager
Application, qop=auth,
nonce=
d13c9c9d094919b14030f3bff72edc6b,
opaque=bd29cf774ee39e6a3cc1c396293be208
Content-Type
RE: REPOST: Tomcat 4.1.18: Digest authentication not working?
On the same issue... does using DIGEST Authentication
work when the password itself is stored in digest
form?
I wasnt able to get it to work...
/s
--- Sam Ewing [EMAIL PROTECTED] wrote:
I might be wrong.. but there is a difference between
using Digest for authentication and storing the
passwords as digest version in the user
tomcat-users.xml file.
The former is what Pankaj is tying to do.. this
causes
the passwords to be transmitted as digests version
of
themselves from the users browser to Tomcat. Tomcat
then un-digests them and calls the Realm call to do
it
work.
In the latter, we set the digest attribute to sha or
md5 in the Realm directive in server.xml. This does
not affect how the passwords are transmitted from
the
users browser to Tomcat. The Realm implementation
computes the digest of the password and compares it
with the digested version..
Am I on the right track here?
/s
--- PELOQUIN,JEFFREY (HP-Boise,ex1)
[EMAIL PROTECTED] wrote:
When you switched to Digest mode did you convert
the
original clear text
passwords to the digest format you wish to use?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: REPOST: Tomcat 4.1.18: Digest
authentication not working?
Hi,
I am resposting this message as I did not get any
answer/comment/advice.
Has anyone ever got Digest authentication working
with Tomcat?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Subject: Tomcat 4.1.18: Digest authentication not
working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC
authentication (default
configuration), after making appropriate user and
role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown
below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my
browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string,
but
after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a
home
grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel,
application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager
Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339,
opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 -
Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#008
6b2;} H3{font-family :
sans-serif,Arial,Tahoma;color
:
white;background-color :
#0086b2;} BODY{font-family :
sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color :
#0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 -
/h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b
u/u/ppbdescription/b
uT
his request requires HTTP authentication
()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
[HTTP] C -- S (2 bytes)
[HTTP] C -- S (5 bytes)
0
[HTTP] C -- S (683 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel,
application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
Authorization: Digest username=pankaj,
realm=Tomcat Manager Application,
qop
=auth, algorithm=MD5, uri=/manager/html,
nonce=bf3c8fa05f1260f6a9d4299d3b
882339, nc=0001,
cnonce=f7710dc1f6683517f0dd8dfd957a50bc,
opaque=0375882
RE: REPOST: Tomcat 4.1.18: Digest authentication not working?
-Original Message-
From: Sam Ewing [mailto:[EMAIL PROTECTED]]
On the same issue... does using DIGEST Authentication
work when the password itself is stored in digest
form?
No, it doesn't. I tried with MD5 digested passwords ( set digest attribute
of Realm element to MD5 and changed tomcat-users.xml password with the one
generated by java org.apache.catalina.realm.RealmBase -s MD5 password).
Works for BASIC authentication, but not for DIGEST.
Ans yes, you are absolutely right that digested passwords are not the same
thing as DIGEST authentication. The former helps in not having cleartext
password stored in a file, whereas the later helps in not transmitting
cleartext password over the network. ANd the internal mechanisms are very
different. Look at RFC2617 for details of DIGEST authentication.
Either there is some setup that I am missing or it hasn't been tested at
all(unlikely) or got broken in 4.1.18 or earlier.
I wasnt able to get it to work...
That makes it two of us.
/Pankaj.
/s
--- Sam Ewing [EMAIL PROTECTED] wrote:
I might be wrong.. but there is a difference between
using Digest for authentication and storing the
passwords as digest version in the user
tomcat-users.xml file.
The former is what Pankaj is tying to do.. this
causes
the passwords to be transmitted as digests version
of
themselves from the users browser to Tomcat. Tomcat
then un-digests them and calls the Realm call to do
it
work.
In the latter, we set the digest attribute to sha or
md5 in the Realm directive in server.xml. This does
not affect how the passwords are transmitted from
the
users browser to Tomcat. The Realm implementation
computes the digest of the password and compares it
with the digested version..
Am I on the right track here?
/s
--- PELOQUIN,JEFFREY (HP-Boise,ex1)
[EMAIL PROTECTED] wrote:
When you switched to Digest mode did you convert
the
original clear text
passwords to the digest format you wish to use?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: REPOST: Tomcat 4.1.18: Digest
authentication not working?
Hi,
I am resposting this message as I did not get any
answer/comment/advice.
Has anyone ever got Digest authentication working
with Tomcat?
-Original Message-
From: KUMAR,PANKAJ (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Subject: Tomcat 4.1.18: Digest authentication not
working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC
authentication (default
configuration), after making appropriate user and
role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown
below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager
Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my
browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string,
but
after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a
home
grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel,
application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager
Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339,
opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 -
Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#008
6b2;} H3{font-family :
sans-serif,Arial,Tahoma;color
:
white;background-color :
#0086b2;} BODY{font-family :
sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background
Tomcat 4.1.18: Digest authentication not working?
Hi,
I am a relative newbiw to Tomcat.
The manager application works with BASIC authentication (default
configuration), after making appropriate user and role entries in
conf/tomcat-users.xml file.
However, when I change BASIC to DIGEST as shown below:
Default web.xml for manager:
...
login-config
auth-methodBASIC/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
Modified web.xml for manager:
...
login-config
auth-methodDIGEST/auth-method
realm-nameTomcat Manager Application/realm-name
/login-config
...
It doesn't work. I get the login prompt in my browser ( I tried both IE6.0
and Netscape 7.0 ) with the right realm string, but after entering the user
name and the password, the prompt appers again.
I am appending the HTTP dump (captured using a home grown interceptor tool
):
=
[HTTP] C -- S (370 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
bf3c8fa05f1260f6a9d4299d3b882339, opaque=03758823e3b14892bb4dc34ef834fa13
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:24 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (5 bytes)
2ad
[HTTP] C -- S (685 bytes)
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
[HTTP] C -- S (2 bytes)
[HTTP] C -- S (5 bytes)
0
[HTTP] C -- S (683 bytes)
GET /manager/html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwav
e-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: localhost:8079
Connection: Keep-Alive
Authorization: Digest username=pankaj, realm=Tomcat Manager Application,
qop
=auth, algorithm=MD5, uri=/manager/html,
nonce=bf3c8fa05f1260f6a9d4299d3b
882339, nc=0001, cnonce=f7710dc1f6683517f0dd8dfd957a50bc,
opaque=0375882
3e3b14892bb4dc34ef834fa13, response=8d3c122778ae3d95564f61a2238c8f51
[HTTP] C -- S (412 bytes)
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Digest realm=Tomcat Manager Application, qop=auth,
nonce=
d13c9c9d094919b14030f3bff72edc6b, opaque=bd29cf774ee39e6a3cc1c396293be208
Content-Type: text/html
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 05 Jan 2003 08:49:34 GMT
Server: Apache Coyote/1.0
[HTTP] C -- S (697 bytes)
2ad
htmlheadtitleApache Tomcat/4.1.18-LE-jdk14 - Error
report/titleSTYLE!
--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color :
#008
6b2;} H3{font-family : sans-serif,Arial,Tahoma;color :
white;background-color :
#0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-co
lor : white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;}
--/STYLE /headbodyh1HTTP Status 401 - /h1HR size=1
noshadepbt
ype/b Status report/ppbmessage/b u/u/ppbdescription/b
uT
his request requires HTTP authentication ()./u/pHR size=1
noshadeh3Apa
che Tomcat/4.1.18-LE-jdk14/h3/body/html
0
=
Any help would be most appreciated.
/Pankaj Kumar
Home Page: http://www.pankaj-k.net
Web Log: http://www.pankaj-k.net/weblog
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RES: Digest authentication with JDBCRealm: doesn't seems to work
I did it and worked, but what I'm trying to do is authentication using login-config auth-methodDIGEST/auth-method /login-config with JDBCRealm using digest=SHA. Is it possible? iran -Mensagem original- De: Koes, Derrick [mailto:Derrick.Koes;smith-nephew.com] Enviada em: quinta-feira, 7 de novembro de 2002 16:53 Para: 'Tomcat Users List' Assunto: RE: Digest authentication with JDBCRealm: doesn't seems to work Change login-config auth-methodDIGEST/auth-method /login-config to login-config auth-methodBASIC/auth-method /login-config -Original Message- From: Iran Marcius [mailto:iran;isic.com.br] Sent: Thursday, November 07, 2002 1:29 PM To: [EMAIL PROTECTED] Subject: Digest authentication with JDBCRealm: doesn't seems to work Hi. I'm trying to use digest authentication with JDBCRealm and SHA algorithm, but it doesn't seems to work. Here is my context: Context docBase=permission path=/permission reloadable=true privileged=true ResourceLink name=jdbc/global global=jdbc/global type=javax.sql.DataSource/ Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.postgresql.Driver digest=SHA connectionURL=jdbc:postgresql://testhost/global connectionName=global connectionPassword=password userTable=users userRoleTable=user_role userNameCol=username userCredCol=password roleNameCol=rolename/ /Context And here is my relevant lines in web.xml: login-config auth-methodDIGEST/auth-method /login-config When I use BASIC method, as a lot of people wrote before, everything works fine, but with DIGEST method I can't authenticate. I tried to turn off digest parameter in server.xml, but didn't work. I tried so set a plain password in my user table. Didn't work too. So, I've tried a lot of combinations without success. Is there someone who did it before? iran -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RES: RE-POST RE: digest authentication or auth-methodDIGEST/auth-method
Let me see if I understood. What you are saying to me is the browser is sending na encrypted password to the servlet engine, which is trying to encrypt the password received again because of my 'digest=SHA'? I remove digest parameter in realm configuration before and didn't work, but I really don't know which algorithm is been used when I select DIGEST in auth-method. I'll try to change it to MD5. Thanx. iran -Mensagem original- De: Koes, Derrick [mailto:Derrick.Koes;smith-nephew.com] Enviada em: quinta-feira, 7 de novembro de 2002 16:54 Para: 'Tomcat Users List' Assunto: RE-POST RE: digest authentication or auth-methodDIGEST/auth-method -Original Message- From: Koes, Derrick Sent: Tuesday, November 05, 2002 6:43 PM To: 'Tomcat Users List' Subject: RE: digest authentication or auth-methodDIGEST/auth-method I think what is really happening is that the realm is handling the digesting to do the password match. Setting auth-method to DIGEST probably tries to handle encryption up front, not delaying it until (plain text until then) the realm code. What encryption algorithm is used if you select auth-method DIGEST? What if all your passwords are SHA-1? Derrick -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Tuesday, November 05, 2002 6:25 PM To: Tomcat Users List Subject: RE: digest authentication or auth-methodDIGEST/auth-method Jake, Because tomcat-users.xml only contains the digested password (it does not contain the string password) and I am able to authenticate by entering the password password into IE's dialog box, I assume that the digested password is being sent. What surprised me was that web.xml's auth-method needed to be set to BASIC, not DIGEST. That said, I do not see much advantage in using digest authentication over basic authentication. Frank Jacob Kjome [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] cc: 11/05/2002 04:18 Subject: RE: digest authentication or auth-methodDIGEST/auth-method PM Please respond to Tomcat Users List Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain textor are you sending your MD5 hashed password instead of password. I guess if that is the case then your password would be safe, but who can remember a password such as 5f4dcc3b5aa765d61d8327deb882cf99. There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className
Digest authentication with JDBCRealm: doesn't seems to work
Hi. I'm trying to use digest authentication with JDBCRealm and SHA algorithm, but it doesn't seems to work. Here is my context: Context docBase=permission path=/permission reloadable=true privileged=true ResourceLink name=jdbc/global global=jdbc/global type=javax.sql.DataSource/ Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.postgresql.Driver digest=SHA connectionURL=jdbc:postgresql://testhost/global connectionName=global connectionPassword=password userTable=users userRoleTable=user_role userNameCol=username userCredCol=password roleNameCol=rolename/ /Context And here is my relevant lines in web.xml: login-config auth-methodDIGEST/auth-method /login-config When I use BASIC method, as a lot of people wrote before, everything works fine, but with DIGEST method I can't authenticate. I tried to turn off digest parameter in server.xml, but didn't work. I tried so set a plain password in my user table. Didn't work too. So, I've tried a lot of combinations without success. Is there someone who did it before? iran -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Digest authentication with JDBCRealm: doesn't seems to work
Change login-config auth-methodDIGEST/auth-method /login-config to login-config auth-methodBASIC/auth-method /login-config -Original Message- From: Iran Marcius [mailto:iran;isic.com.br] Sent: Thursday, November 07, 2002 1:29 PM To: [EMAIL PROTECTED] Subject: Digest authentication with JDBCRealm: doesn't seems to work Hi. I'm trying to use digest authentication with JDBCRealm and SHA algorithm, but it doesn't seems to work. Here is my context: Context docBase=permission path=/permission reloadable=true privileged=true ResourceLink name=jdbc/global global=jdbc/global type=javax.sql.DataSource/ Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.postgresql.Driver digest=SHA connectionURL=jdbc:postgresql://testhost/global connectionName=global connectionPassword=password userTable=users userRoleTable=user_role userNameCol=username userCredCol=password roleNameCol=rolename/ /Context And here is my relevant lines in web.xml: login-config auth-methodDIGEST/auth-method /login-config When I use BASIC method, as a lot of people wrote before, everything works fine, but with DIGEST method I can't authenticate. I tried to turn off digest parameter in server.xml, but didn't work. I tried so set a plain password in my user table. Didn't work too. So, I've tried a lot of combinations without success. Is there someone who did it before? iran -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE-POST RE: digest authentication or auth-methodDIGEST/auth-method
-Original Message- From: Koes, Derrick Sent: Tuesday, November 05, 2002 6:43 PM To: 'Tomcat Users List' Subject: RE: digest authentication or auth-methodDIGEST/auth-method I think what is really happening is that the realm is handling the digesting to do the password match. Setting auth-method to DIGEST probably tries to handle encryption up front, not delaying it until (plain text until then) the realm code. What encryption algorithm is used if you select auth-method DIGEST? What if all your passwords are SHA-1? Derrick -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Tuesday, November 05, 2002 6:25 PM To: Tomcat Users List Subject: RE: digest authentication or auth-methodDIGEST/auth-method Jake, Because tomcat-users.xml only contains the digested password (it does not contain the string password) and I am able to authenticate by entering the password password into IE's dialog box, I assume that the digested password is being sent. What surprised me was that web.xml's auth-method needed to be set to BASIC, not DIGEST. That said, I do not see much advantage in using digest authentication over basic authentication. Frank Jacob Kjome [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] cc: 11/05/2002 04:18 Subject: RE: digest authentication or auth-methodDIGEST/auth-method PM Please respond to Tomcat Users List Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain textor are you sending your MD5 hashed password instead of password. I guess if that is the case then your password would be safe, but who can remember a password such as 5f4dcc3b5aa765d61d8327deb882cf99. There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name
Digest authentication with JDBCRealm: doesn't seems to work
Hi. I'm trying to do a digest authentication using a JDBCRealm with SHA digest. Here is my context: Context docBase=permission path=/permission reloadable=true privileged=true ResourceLink name=jdbc/global global=jdbc/global type=javax.sql.DataSource/ Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.postgresql.Driver digest=SHA connectionURL=jdbc:postgresql://testhost/global connectionName=global connectionPassword=password userTable=users userRoleTable=user_role userNameCol=username userCredCol=password roleNameCol=rolename/ /Context And here is my relevant lines in web.xml: login-config auth-methodDIGEST/auth-method /login-config When I use the BASIC method, as a lot of people wrote before, everything works fine, but with DIGEST method I can't authenticate. I tried to turn off my digest configuration in server.xml, but didn't work. I tried so set a plain password in my user table. Didn't work too. So, I've tried a lot of combinations without success. Someone can help me? iran -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: digest authentication or auth-methodDIGEST/auth-method
Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method !-- The memory realm defined in /conf/server.xml contains no name. Does the realm-name value refer to some other configuration value. -- realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app If I enter the user name and password frank and password into IE, authentication fails. But if I enter frank and 5f4dcc3b5aa765d61d8327deb882cf99, authentication succeeds. I expected frank and password to work. The log file for myapp shows the following: 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploying class repositories to work directory C:\jakarta-tomcat-4.1.12\work\Standalone\localhost\myapp 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploy class files /WEB-INF/classes to C:\jakarta-tomcat-4.1.12\bin\..\webapps\myapp\WEB-INF\classes 2002-11-04 17:51:40 WebappLoader[/myapp]: Reloading checks are enabled for this Context 2002-11-04 17:51:41 ContextConfig[/myapp]: Configured an authenticator for method DIGEST 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding random number generator class java.security.SecureRandom 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding of random number generator has been completed 2002-11-04 17:51:41 StandardWrapper[/myapp:default]: Loading container servlet default 2002-11-04 17:51:41 StandardWrapper[/myapp:invoker]: Loading container servlet invoker Am I doing something wrong? Do I not understand digest authentication? Any ideas? Thanks. Frank -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended
RE: digest authentication or auth-methodDIGEST/auth-method
Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method !--The memory realm defined in /conf/server.xml contains no name. Doestherealm-name value refer to some other configuration value.-- realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app If I enter the user name and password frank and password into IE, authentication fails. But if I enter frank and 5f4dcc3b5aa765d61d8327deb882cf99, authentication succeeds. I expected frank and password to work. The log file for myapp shows the following: 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploying class repositories to work directory C:\jakarta-tomcat-4.1.12\work\Standalone\localhost\myapp 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploy class files /WEB-INF/classes
RE: digest authentication or auth-methodDIGEST/auth-method
Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain textor are you sending your MD5 hashed password instead of password. I guess if that is the case then your password would be safe, but who can remember a password such as 5f4dcc3b5aa765d61d8327deb882cf99. There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method !--The memory realm defined in /conf/server.xml contains no name. Doestherealm-name value refer to some other configuration value.-- realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app If I enter the user name and password frank and password into IE, authentication fails. But if I enter frank and 5f4dcc3b5aa765d61d8327deb882cf99, authentication succeeds. I expected frank and password to work. The log file for myapp shows the following: 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploying class repositories to work directory C:\jakarta-tomcat-4.1.12\work\Standalone\localhost\myapp 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploy class files /WEB-INF/classes to C:\jakarta-tomcat-4.1.12\bin\..\webapps\myapp\WEB-INF\classes 2002-11-04 17:51:40 WebappLoader[/myapp]: Reloading checks are enabled for this Context 2002-11-04 17:51:41 ContextConfig[/myapp]: Configured an authenticator for method DIGEST 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding random number generator class java.security.SecureRandom 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding of random number generator has been completed 2002-11-04 17:51:41 StandardWrapper[/myapp:default
RE: digest authentication or auth-methodDIGEST/auth-method
Jake, Because tomcat-users.xml only contains the digested password (it does not contain the string password) and I am able to authenticate by entering the password password into IE's dialog box, I assume that the digested password is being sent. What surprised me was that web.xml's auth-method needed to be set to BASIC, not DIGEST. That said, I do not see much advantage in using digest authentication over basic authentication. Frank Jacob Kjome [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] cc: 11/05/2002 04:18 Subject: RE: digest authentication or auth-methodDIGEST/auth-method PM Please respond to Tomcat Users List Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain textor are you sending your MD5 hashed password instead of password. I guess if that is the case then your password would be safe, but who can remember a password such as 5f4dcc3b5aa765d61d8327deb882cf99. There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase
RE: digest authentication or auth-methodDIGEST/auth-method
I think what is really happening is that the realm is handling the digesting to do the password match. Setting auth-method to DIGEST probably tries to handle encryption up front, not delaying it until (plain text until then) the realm code. What encryption algorithm is used if you select auth-method DIGEST? What if all your passwords are SHA-1? Derrick -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Tuesday, November 05, 2002 6:25 PM To: Tomcat Users List Subject: RE: digest authentication or auth-methodDIGEST/auth-method Jake, Because tomcat-users.xml only contains the digested password (it does not contain the string password) and I am able to authenticate by entering the password password into IE's dialog box, I assume that the digested password is being sent. What surprised me was that web.xml's auth-method needed to be set to BASIC, not DIGEST. That said, I do not see much advantage in using digest authentication over basic authentication. Frank Jacob Kjome [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] cc: 11/05/2002 04:18 Subject: RE: digest authentication or auth-methodDIGEST/auth-method PM Please respond to Tomcat Users List Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain textor are you sending your MD5 hashed password instead of password. I guess if that is the case then your password would be safe, but who can remember a password such as 5f4dcc3b5aa765d61d8327deb882cf99. There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: Derrick, You are correct. Is this a bug or is this the way it is supposed to work? Thanks! Frank Koes, Derrick Derrick.Koes@smith-To: 'Tomcat Users List' [EMAIL PROTECTED] nephew.com cc: Subject: RE: digest authentication or auth-methodDIGEST/auth-method 11/05/2002 01:29 PM Please respond to Tomcat Users List Leave the auth-method in the web.xml as BASIC. -Original Message- From: Frank Balluffi [mailto:frank.balluffi;db.com] Sent: Monday, November 04, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: digest authentication or auth-methodDIGEST/auth-method I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name
digest authentication or auth-methodDIGEST/auth-method
I am able to successfully configure Tomcat 4.1.12 to use basic authentication and access a servlet from IE 5.5. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=password roles=myapp/ myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app When IE prompts me for the user name and password, I enter frank and password and the servlet successfully runs. When I attempt to configure Tomcat to use digest authentication (and restart Tomcat), weird things happen. conf/server.xml contains: Realm className = org.apache.catalina.realm.MemoryRealm digest= MD5 pathname = conf/tomcat-users.xml / conf/tomcat-users.xml contains: role rolename=myapp/ user username=frank password=5f4dcc3b5aa765d61d8327deb882cf99 roles=myapp/ I used the following command to MD5 digest the password password [without the double quotes]: C:\jakarta-tomcat-4.1.12\server\libjava org.apache.catalina.realm.RealmBase -a MD5 password password:5f4dcc3b5aa765d61d8327deb882cf99 myapp/WEB-INF/web.xml contains: web-app display-nameMy Application/display-name descriptionMy Application/description servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyapp/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method !-- The memory realm defined in /conf/server.xml contains no name. Does the realm-name value refer to some other configuration value. -- realm-nameMy Application/realm-name /login-config security-role role-namemyapp/role-name /security-role /web-app If I enter the user name and password frank and password into IE, authentication fails. But if I enter frank and 5f4dcc3b5aa765d61d8327deb882cf99, authentication succeeds. I expected frank and password to work. The log file for myapp shows the following: 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploying class repositories to work directory C:\jakarta-tomcat-4.1.12\work\Standalone\localhost\myapp 2002-11-04 17:51:40 WebappLoader[/myapp]: Deploy class files /WEB-INF/classes to C:\jakarta-tomcat-4.1.12\bin\..\webapps\myapp\WEB-INF\classes 2002-11-04 17:51:40 WebappLoader[/myapp]: Reloading checks are enabled for this Context 2002-11-04 17:51:41 ContextConfig[/myapp]: Configured an authenticator for method DIGEST 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding random number generator class java.security.SecureRandom 2002-11-04 17:51:41 StandardManager[/myapp]: Seeding of random number generator has been completed 2002-11-04 17:51:41 StandardWrapper[/myapp:default]: Loading container servlet default 2002-11-04 17:51:41 StandardWrapper[/myapp:invoker]: Loading container servlet invoker Am I doing something wrong? Do I not understand digest authentication? Any ideas? Thanks. Frank -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
HTTP Digest authentication and Tomcat 4.0.2
Hi Folks, I'm trying to setup a web app protected with an http digest authentication. Everything looks fine, except that Tomcat behaves like my username/password were always wrong. I tested it against the following clients (supporting digest auth of course) : - Opera 6.0 - Internet Explorer 5.5 - Espial http stack (java http stack) It fails with all my clients. In order to be sure that the problem was coming from Tomcat, I also set an Apache 2.0.36 server with mod_auth_digest. And it worked with all clients ! The strange thing is that I did not find any message on the web about a bug in the digest auth. Am I missing something ??? Did anyone already used that feature ? Best regards, Sebastien.
DIGEST authentication problem
Hello, We have an authentication problem using Tomcat. Briefly, we have set up a simple webapp with DIGEST authentication. It works fine with IE5, but it fails on Mozilla. We have also tested Mozilla on an Apache Http server with DIGEST authentication, and it works! So, we assume that there is something wrong with Tomcat... We have already looked up the mailing list but we've found nothing yet. Could anyone help us? Environment : Linux debian 2.2r5 Tomcat 4.0.3 Mozilla 0.9.9 Apache 1.3.24 Thanks! Andrei __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DIGEST authentication problem
Sorry, I cannot help you fix the problem, but I have some more info related to it. I ran across the same problem with Mozilla 0.9.9 on Redhat Linux 7.2, but if I hit the same tomcat server from IE6 on Win2K, it works fine. So, to me it looks like the problem may be specifically with Tomcat 4.0.3 and Mozilla 0.9.9: This does not work: Client: MZ-0.9.9/RH-7.2 Server: TC-4.0.3/RH-7.2 Auth: DIGEST This works: Client: IE-6/W-2K Server: TC-4.0.3/Either Auth: Either This works: Client: MZ-0.9.9/RH-7.2 Server: TC-4.0.3/RH-7.2 Auth: BASIC This works: Client: MZ-0.9.9/Deb-2.2r5 Server: Apache 1.3.24/Deb-2.2r5 Auth: DIGEST Hope this helps... Larry [EMAIL PROTECTED] 05/29/02 01:45AM Hello, We have an authentication problem using Tomcat. Briefly, we have set up a simple webapp with DIGEST authentication. It works fine with IE5, but it fails on Mozilla. We have also tested Mozilla on an Apache Http server with DIGEST authentication, and it works! So, we assume that there is something wrong with Tomcat... We have already looked up the mailing list but we've found nothing yet. Could anyone help us? Environment : Linux debian 2.2r5 Tomcat 4.0.3 Mozilla 0.9.9 Apache 1.3.24
Digest authentication with Memory Realm
Using the default memory realm I have modified the Tomcat server.xml to store the passwords encrypted as follows : Realm className=org.apache.catalina.realm.MemoryRealm digest=MD5 / This works fine. For my tests I would also like to use digest authorization to transfer the password over the wire. To do this I put the following in my web.xml file login-config auth-methodDIGEST/auth-method /login-config When I access the protected web page from a browser (Mozilla or IE5.5) I get the appropriate login dialog box. However I can't log in from either browser. What am I doing wrong. Shimon Crown (Note - I know that using memory realm isn't a great idea but it is useful for the testing phase). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
REPOST - Digest Authentication with Memory Realm
As nobody answered this question the first time around lets have another go ! Using the default memory realm I have modified the Tomcat server.xml to store the passwords encrypted as follows : Realm className=org.apache.catalina.realm.MemoryRealm digest=MD5 / This works fine. For my tests I would also like to use digest authorization to transfer the password over the wire. To do this I put the following in my web.xml file login-config auth-methodDIGEST/auth-method /login-config When I access the protected web page from a browser (Mozilla or IE5.5) I get the appropriate login dialog box. However I can't log in (access denied) from either browser. What am I doing wrong ? Shimon Crown (Note - I know that using memory realm isn't a great idea but it is useful for the testing phase).
Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to authenticate against a LDAP
server. It works fine when using the BASIC authentication mode, but it
doesn´t work when specifying the DIGEST authentication mode.
There´s no error message in tomcat, neither in the LDAP server, so I used a
sniffer to watch the network traffic and the communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I post the realm
description of the server.xml (I replaced the lines that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the net and in the doc are
not giving me any result. Is the realm descriptor correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Digest authentication problem
I forgot to mention that it´s a tomcat 4.01 .
-Mensaje original-
De: Meurant , Gerald [mailto:[EMAIL PROTECTED]]
Enviado el: lunes, 18 de febrero de 2002 13:23
Para: [EMAIL PROTECTED]
Asunto: Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to authenticate against a LDAP
server. It works fine when using the BASIC authentication mode, but it
doesn´t work when specifying the DIGEST authentication mode.
There´s no error message in tomcat, neither in the LDAP server, so I used a
sniffer to watch the network traffic and the communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I post the realm
description of the server.xml (I replaced the lines that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the net and in the doc are
not giving me any result. Is the realm descriptor correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Re: RE: Digest authentication problem
hi
i am facing the same problem. there is a problem while using the digest authentication
mode. it seems the password format return by ldap,in my case netscape directory
structure, is different than one used by the digest class of tomcat.netscape uses
base64 encoding while tomcat uses some hash functionality. so the authentication
fails.
solving this is in the to do list. if u wish there are 2 ways to solve it urself.
1. make changes to JNDIRealm class.
2. binding user to ldap using bind authentication, which i am not very clear. I am
trying to search on this.
regards
jay
ps: check previous mail archives for more details.
On Mon, 18 Feb 2002 Meurant , Gerald wrote :
I forgot to mention that it´s a tomcat 4.01 .
-Mensaje original-
De: Meurant , Gerald [mailto:[EMAIL PROTECTED]
.es]
Enviado el: lunes, 18 de febrero de 2002 13:23
Para: [EMAIL PROTECTED]
Asunto: Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to
authenticate against a LDAP
server. It works fine when using the BASIC
authentication mode, but it
doesn´t work when specifying the DIGEST authentication
mode.
There´s no error message in tomcat, neither in the LDAP
server, so I used a
sniffer to watch the network traffic and the
communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I post
the realm
description of the server.xml (I replaced the lines
that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm
debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the
net and in the doc are
not giving me any result. Is the realm descriptor
correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
RE: RE: Digest authentication problem
Thanks, I´ll go the same way (now I don´t know really how the bind
authentication can be done) ;)
-Mensaje original-
De: jay n gaba [mailto:[EMAIL PROTECTED]]
Enviado el: lunes, 18 de febrero de 2002 15:51
Para: Tomcat Users List
Asunto: Re: RE: Digest authentication problem
hi
i am facing the same problem. there is a problem while using the digest
authentication mode. it seems the password format return by ldap,in my case
netscape directory structure, is different than one used by the digest class
of tomcat.netscape uses base64 encoding while tomcat uses some hash
functionality. so the authentication fails.
solving this is in the to do list. if u wish there are 2 ways to solve it
urself.
1. make changes to JNDIRealm class.
2. binding user to ldap using bind authentication, which i am not very
clear. I am trying to search on this.
regards
jay
ps: check previous mail archives for more details.
On Mon, 18 Feb 2002 Meurant , Gerald wrote :
I forgot to mention that it´s a tomcat 4.01 .
-Mensaje original-
De: Meurant , Gerald [mailto:[EMAIL PROTECTED]
.es]
Enviado el: lunes, 18 de febrero de 2002 13:23
Para: [EMAIL PROTECTED]
Asunto: Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to
authenticate against a LDAP
server. It works fine when using the BASIC
authentication mode, but it
doesn´t work when specifying the DIGEST authentication
mode.
There´s no error message in tomcat, neither in the LDAP
server, so I used a
sniffer to watch the network traffic and the
communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I post
the realm
description of the server.xml (I replaced the lines
that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm
debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the
net and in the doc are
not giving me any result. Is the realm descriptor
correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Re: RE: Digest authentication problem
Netscape 4.x versions don't implement DIGEST authentication. When faced with a DIGEST
auth, Netscape 4.x will ask the user for a username and password, and send the server
a BASIC auth. This is why you're seeing base64 encoded header in a Netscape request -
it's BASIC auth, not DIGEST auth.
--
Attila Szegedi
home: http://www.szegedi.org
- Original Message -
From: jay n gaba [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: 2002. február 18. 15:50
Subject: Re: RE: Digest authentication problem
hi
i am facing the same problem. there is a problem while using the digest authentication
mode. it seems the password format return by ldap,in my case netscape directory
structure, is different than one used by the digest class of tomcat.netscape uses
base64 encoding while tomcat uses some hash functionality. so the authentication
fails.
solving this is in the to do list. if u wish there are 2 ways to solve it urself.
1. make changes to JNDIRealm class.
2. binding user to ldap using bind authentication, which i am not very clear. I am
trying to search on this.
regards
jay
ps: check previous mail archives for more details.
On Mon, 18 Feb 2002 Meurant , Gerald wrote :
I forgot to mention that it´s a tomcat 4.01 .
-Mensaje original-
De: Meurant , Gerald [mailto:[EMAIL PROTECTED]
.es]
Enviado el: lunes, 18 de febrero de 2002 13:23
Para: [EMAIL PROTECTED]
Asunto: Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to
authenticate against a LDAP
server. It works fine when using the BASIC
authentication mode, but it
doesn´t work when specifying the DIGEST authentication
mode.
There´s no error message in tomcat, neither in the LDAP
server, so I used a
sniffer to watch the network traffic and the
communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I post
the realm
description of the server.xml (I replaced the lines
that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm
debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the
net and in the doc are
not giving me any result. Is the realm descriptor
correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
smime.p7s
Description: application/pkcs7-signature
Re: Re: RE: Digest authentication problem
hi attila
thank you. can u give some pointers on bind authentication method.
thanks.
regards
jay
On Mon, 18 Feb 2002 Attila Szegedi wrote :
Netscape 4.x versions don't implement DIGEST
authentication. When faced with a DIGEST auth, Netscape
4.x will ask the user for a username and password, and
send the server a BASIC auth. This is why you're seeing
base64 encoded header in a Netscape request - it's
BASIC auth, not DIGEST auth.
--
Attila Szegedi
home: http://www.szegedi.org
- Original Message -
From: jay n gaba [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: 2002. február 18. 15:50
Subject: Re: RE: Digest authentication problem
hi
i am facing the same problem. there is a problem while
using the digest authentication mode. it seems the
password format return by ldap,in my case netscape
directory structure, is different than one used by the
digest class of tomcat.netscape uses base64 encoding
while tomcat uses some hash functionality. so the
authentication fails.
solving this is in the to do list. if u wish there are
2 ways to solve it urself.
1. make changes to JNDIRealm class.
2. binding user to ldap using bind authentication,
which i am not very clear. I am trying to search on
this.
regards
jay
ps: check previous mail archives for more details.
On Mon, 18 Feb 2002 Meurant , Gerald wrote :
I forgot to mention that it´s a tomcat 4.01 .
-Mensaje original-
De: Meurant , Gerald [mailto:[EMAIL PROTECTED]
el-
.es]
Enviado el: lunes, 18 de febrero de 2002 13:23
Para: [EMAIL PROTECTED]
Asunto: Digest authentication problem
Hi,
I have a tomcat server using a JNDI-Realm to
authenticate against a LDAP
server. It works fine when using the BASIC
authentication mode, but it
doesn´t work when specifying the DIGEST
authentication
mode.
There´s no error message in tomcat, neither in the
LDAP
server, so I used a
sniffer to watch the network traffic and the
communication between the 2
servers : there´s no communication !!
So I think the problem has its origin in tomcat. I
post
the realm
description of the server.xml (I replaced the lines
that specified my ldap
server, the connection works in basic mode anyway) :
Realm className=org.apache.catalina.realm.JNDIRealm-
debug=4
connectionName=cn=administrador
connectionPassword=mypassword
connectionURL=ldap://myserver:389;
roleBase=dc=roles,o=artic,c=es
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=false
userPassword=userPassword
userPattern=cn={0},o=artic,c=es
digest=MD5
/
I would really apreciate any help, my searches on the
net and in the doc are
not giving me any result. Is the realm descriptor
correct ? Thanks.
Gerald.
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jaka-
rt-
a.apache.org
For additional commands: mailto:tomcat-user-help@jaka-
rt-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jaka-
rt-
a.apache.org
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jaka-
rt-
a.apache.org
For additional commands: mailto:tomcat-user-help@jaka-
rt-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jaka-
rt-
a.apache.org
--
To unsubscribe: mailto:tomcat-user-unsubscribe@jakart-
a.apache.org
For additional commands: mailto:tomcat-user-help@jakart-
a.apache.org
Troubles with the list: mailto:tomcat-user-owner@jakart-
a.apache.org
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
digest authentication using servlets
Hi all, I need to implement digest authentication using servlets. Just wondering if anyone came across something that can be reused. Is there any support for it in Tomcat? how do i use it if so? I'm also not sure if JDK itself provides any support for it. I see there's a class sun.net.www.protocol.http.DigestAuthentication but not sure how I can use it, it seems that it must be used on client side. Any pointers/clues will be greatly appreciated. Thanks, --Vlad. *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ***
