Re: [tomcat] branch main updated: Support RFC 7616. Add support for multiple algorithms.

2023-03-15 Thread Mark Thomas 

On 15/03/2023 02:35, Han Li wrote:

On Mar 15, 2023, at 01:45, ma...@apache.org wrote:







+boolean session = false;
+if (algorithm.endsWith("-sess")) {
+algorithm = algorithm.substring(0, algorithm.length() - 5);
+}


I guess here maybe a bug that ‘session’ not assigned correct value, right?

Han


Correct. Well-spotted. I'll get that fixed.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch main updated: Support RFC 7616. Add support for multiple algorithms.

2023-03-14 Thread Han Li 



> On Mar 15, 2023, at 01:45, ma...@apache.org wrote:
> 
> This is an automated email from the ASF dual-hosted git repository.
> 
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> 
> 
> The following commit(s) were added to refs/heads/main by this push:
> new 55ad7dbe19 Support RFC 7616. Add support for multiple algorithms.
> 55ad7dbe19 is described below
> 
> commit 55ad7dbe196ba35dd16952701890d318e7926c02
> Author: Mark Thomas 
> AuthorDate: Fri Mar 3 17:58:05 2023 +
> 
>Support RFC 7616. Add support for multiple algorithms.
> ---
> java/org/apache/catalina/Realm.java|  40 +++
> .../authenticator/DigestAuthenticator.java | 213 
> .../catalina/authenticator/LocalStrings.properties |   2 +
> java/org/apache/catalina/realm/CombinedRealm.java  |   4 +-
> .../apache/catalina/realm/JAASCallbackHandler.java |   7 +-
> .../catalina/realm/JAASMemoryLoginModule.java  |   9 +-
> java/org/apache/catalina/realm/JAASRealm.java  |   6 +-
> java/org/apache/catalina/realm/JNDIRealm.java  |   4 +-
> .../apache/catalina/realm/LocalStrings.properties  |   1 +
> java/org/apache/catalina/realm/LockOutRealm.java   |   4 +-
> java/org/apache/catalina/realm/RealmBase.java  |  48 +++-
> .../tomcat/websocket/DigestAuthenticator.java  |  22 +-
> .../TestDigestAuthenticatorAlgorithms.java | 279 +
> test/org/apache/catalina/realm/TestJNDIRealm.java  |   6 +-
> webapps/docs/changelog.xml |   6 +
> webapps/docs/config/valve.xml  |   7 +
> 16 files changed, 580 insertions(+), 78 deletions(-)
> 
> diff --git a/java/org/apache/catalina/Realm.java 
> b/java/org/apache/catalina/Realm.java
> index cb27fdd487..e81802965e 100644
> --- a/java/org/apache/catalina/Realm.java
> +++ b/java/org/apache/catalina/Realm.java
> @@ -101,13 +101,53 @@ public interface Realm extends Contained {
>  * @param digestA2 Second digest calculated as digest(Method + ":" + uri)
>  *
>  * @return the associated principal, or {@code null} if there is none.
> + *
> + * @deprecated Unused. Use {@link #authenticate(String, String, String,
> + * String, String, String, String, String, String)}. Will be removed in
> + * Tomcat 11.
>  */
> +@Deprecated
> Principal authenticate(String username, String digest,
>   String nonce, String nc, String cnonce,
>   String qop, String realm,
>   String digestA2);
> 
> 
> +/**
> + * Try to authenticate with the specified username, which
> + * matches the digest calculated using the given parameters using the
> + * method described in RFC 7616.
> + * 
> + * The default implementation calls {@link #authenticate(String, String,
> + * String, String, String, String, String, String)} for backwards
> + * compatibility which effectively forces the use of MD5 regardless of 
> the
> + * algorithm specified in the call to this method.
> + * 
> + * Implementations are expected to override the default implementation 
> and
> + * take account of the algorithm parameter.
> + *
> + * @param username Username of the Principal to look up
> + * @param digest Digest which has been submitted by the client
> + * @param nonce Unique (or supposedly unique) token which has been used
> + * for this request
> + * @param nc the nonce counter
> + * @param cnonce the client chosen nonce
> + * @param qop the "quality of protection" ({@code nc} and {@code cnonce}
> + *will only be used, if {@code qop} is not {@code null}).
> + * @param realm Realm name
> + * @param digestA2 Second digest calculated as digest(Method + ":" + uri)
> + * @param algorithm The message digest algorithm to use
> + *
> + * @return the associated principal, or {@code null} if there is none.
> + */
> +default Principal authenticate(String username, String digest,
> +  String nonce, String nc, String cnonce,
> +  String qop, String realm,
> +  String digestA2, String algorithm) {
> +return authenticate(username, digest, nonce, nc, cnonce, qop, realm, 
> digestA2);
> +}
> +
> +
> /**
>  * Try to authenticate using a {@link GSSContext}.
>  *
> diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java 
> b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
> index 0d5e681a3f..f80f2181e9 100644
> --- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
> +++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
> @@ -19,8 +19,14 @@ package org.apache.catalina.authenticator;
> import java.io.IOException;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;

Re: [tomcat] branch main updated: Support RFC 7616. Add support for multiple algorithms.

2023-03-14 Thread Christopher Schultz 

Mark,

On 3/14/23 13:47, Mark Thomas wrote:

On 14/03/2023 17:45, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 55ad7dbe19 Support RFC 7616. Add support for multiple 
algorithms.

55ad7dbe19 is described below

commit 55ad7dbe196ba35dd16952701890d318e7926c02
Author: Mark Thomas 
AuthorDate: Fri Mar 3 17:58:05 2023 +

 Support RFC 7616. Add support for multiple algorithms.


Thoughts on back-porting this?


I see no reason to /avoid/ back-porting it. Browser support is nearly 
non-existent, so I see no burning requirement to back-port.


If its easy to do, I'd say go ahead and back-port. If it's a pain or you 
are even a little concerned about stability, maybe give users some time 
to play with it a little before back-porting.


-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch main updated: Support RFC 7616. Add support for multiple algorithms.

2023-03-14 Thread Mark Thomas 

On 14/03/2023 17:45, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 55ad7dbe19 Support RFC 7616. Add support for multiple algorithms.
55ad7dbe19 is described below

commit 55ad7dbe196ba35dd16952701890d318e7926c02
Author: Mark Thomas 
AuthorDate: Fri Mar 3 17:58:05 2023 +

 Support RFC 7616. Add support for multiple algorithms.


Thoughts on back-porting this?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org