RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi, Thank you for posting this fine explanation and solution so that others may learn. It always makes my day when people figure out good solutions! Now if the Red Sox win, this will truly be a great day! ;) But a good weekend to all, regardless... Yoav Shapira Millennium Research Informatics -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: Friday, October 08, 2004 1:14 AM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Thanks for the information. - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. This is cleared, since we are using IE 6. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... So here's my problem. I looked further into this, and found a solution, which I would like to share. First, if you take a look at the DIGEST authentication spec at http://www.faqs.org/rfcs/rfc2617.html You will see in section 3.2.2.2 A1, that for MD5, the hashed result depends on username, realm and password. Which means, if I couple the usernames with the realm, it is possible to hash the passwords stored in the server. Next, I found where the A1 is being calculated in Tomcat: RealmBase#getDigest(String username, String realmName) If I override this method to return the hashed password, the digested password and DIGEST authentication should work together. In order to test my theory, I have created a Realm that does the above, extending MemoryRealm: http://sylow.no- ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java I set it in my Context using: Context path=/shinobu docBase=shinobu workDir=work\Catalina\localhost\shinobu Realm className=org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm digest=MD5 pathname=conf/shinobu-users.xml / /Context Inside my shinobu-users.xml: tomcat-users role rolename=shinobu.admin/ user username=md5a1_admin password=57348f05c8378963c2d52ec456f6b6fd roles=shinobu.admin/ /tomcat-users The password is md5a1_admin:Shinobu's domain:shinobu_admin digested with MD5. I set authentication to DIGEST in my web.xml: web-app security-constraint web-resource-collection url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameshinobu.admin/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameShinobu's domain/realm-name /login-config security-role role-nameshinobu.admin/role-name /security-role /web-app I access http://localhost:8080/shinobu/admin/ and wholla! It works! Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Have you tried it based on the howto? -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: Using Digested Passwords and DIGEST Authentication at the same time. Hi all, I'm looking for a way to use Digested Passwords as in http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html and DIGEST Authentication at the same time. I have found relative questions/threads in the list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg97135.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg90244.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg88409.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79660.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg79525.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg72288.html But none of them has a solution. Any idea's before I start hacking Tomcat? TYI Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41656842305042134720186!
Re: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:416573fa311026568999013!
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
It's interesting you know. I read a book called Professional Apache Tomcat published by Worx. In Chapter 16 Tomcat Security, the author says - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... -Original Message- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 1:17 PM To: 'Tomcat Users List' Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e time. I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41657a1d315521660274146!
RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
As I am knew to Tomcat I will ask you to excuse my ignorance. I have just realized (and I am asking those with the necessary experience to verify this) that when you talk about DIGEST authentication there are really two separate and distinct forms of it: 1. Indicate to the BROWSER to digest the password before it is passed over the network. Tomcat would then extract the PLAIN TEXT password from the database, digest it using the same algorithm and copare it to the digested value that was just received from the browser. 2. Indicate to the REALM that passwords in the database are stored as hash values of the user password. Tomcat will receive the password from the browser in PLAIN TEXT - the realm will hash it and compare it to the retrieved hashed password from the database. As mentioned below, combining these two mechanisms won't work. This happens to be fine for me - we use SSL for all data transfer but we were storing passwords in plain text in the database. We'd like to store hashed values. It is now my understanding that I can continue to use BASIC authentication but simply configure the realm to expect hashed passwords in the database. That really clarifies a lot (assuming I haven't bungled it). I kept finding opposing views concerning digestion of passwords and I couldn't find any absolutes about it. What a relief to finally get some insight! Any clarification or correction of this information would be greatly appreciated before I commit it to memory. Thanks!!! -Original Message- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 07, 2004 1:17 PM To: 'Tomcat Users List' Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e time. I don't think MD5+DIGEST will work. Take a look at any subclass of RealmBase. Realm has nothing to do with web.xml attribute login-config. In the authenticate method, Realm checks hasMessageDigest() - value of Realm digest=. If hasMessageDigest, in your case =MD5, Realm digests the password and compare it with the value stored in database. -Original Message- From: Shinobu Kawai [mailto:[EMAIL PROTECTED] Sent: October 7, 2004 12:51 PM To: Tomcat Users List Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e time. Hi Phillip, Have you tried it based on the howto? Yep. Here's what I tried: (All with o.a.c.r.MemoryRealm) clear text + BASIC - works! clear text + DIGEST - works! MD5 digest + BASIC - works! SHA digest + BASIC - works! MD5 digest + DIGEST - doesn't work! SHA digest + DIGEST - doesn't work! Strangely, if I enter the digested password, it passes. Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:416573fa311026568999013! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using Digested Passwords and DIGEST Authentication at the sam e time.
Hi Phillip, Thanks for the information. - Not all browsers supported DIGEST authentication, so you can't gurantee that all clients will be able to authenticate... Internet Explorer and Knoqueror are two browsers that do support DIGEST authentication. Mozilla 1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize this), but can't authenticate. This is cleared, since we are using IE 6. - DIGEST authentication doesn't work if the passwords are digested on the Tomcat side (so that they can't be read as cleartext) because of the way that DIGEST mechanism calculates its digest. First of all the browser calculates a digest of the username, the password, the URL, the HTTP method, and a random string sent to it by the server. Likewise, the server creates a digest to verify that the details entered by the user are correct. However, as the password is already digested on the server, and thus completely diferent from the cleartext version entered into the browser, the two digests will be different, and authentication will fail... So here's my problem. I looked further into this, and found a solution, which I would like to share. First, if you take a look at the DIGEST authentication spec at http://www.faqs.org/rfcs/rfc2617.html You will see in section 3.2.2.2 A1, that for MD5, the hashed result depends on username, realm and password. Which means, if I couple the usernames with the realm, it is possible to hash the passwords stored in the server. Next, I found where the A1 is being calculated in Tomcat: RealmBase#getDigest(String username, String realmName) If I override this method to return the hashed password, the digested password and DIGEST authentication should work together. In order to test my theory, I have created a Realm that does the above, extending MemoryRealm: http://sylow.no-ip.com/pub/apache/jakarta/tomcat/DigestableMemoryRealm.java I set it in my Context using: Context path=/shinobu docBase=shinobu workDir=work\Catalina\localhost\shinobu Realm className=org.ieee.shinobu.demo.tomcat.DigestableMemoryRealm digest=MD5 pathname=conf/shinobu-users.xml / /Context Inside my shinobu-users.xml: tomcat-users role rolename=shinobu.admin/ user username=md5a1_admin password=57348f05c8378963c2d52ec456f6b6fd roles=shinobu.admin/ /tomcat-users The password is md5a1_admin:Shinobu's domain:shinobu_admin digested with MD5. I set authentication to DIGEST in my web.xml: web-app security-constraint web-resource-collection url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameshinobu.admin/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameShinobu's domain/realm-name /login-config security-role role-nameshinobu.admin/role-name /security-role /web-app I access http://localhost:8080/shinobu/admin/ and wholla! It works! Best regards, -- Shinobu Kawai -- Shinobu Kawai [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]