Hello, in Tomcat 4.0 it is possible to use BASIC authentication together with encrypted passwords (e.g. adding attribute digest="MD5") to a <Realm/> element, or DIGEST with passwords only stored in clear-text. It's not possible to use DIGEST authentication together with encrypted passwords. The reason is getDigest(username, realmName) in the RealmBase class, which calculates the digest from username + ":" + realmName + ":" + getPassword(username):
protected String getDigest(String username, String realmName) {
if (md5Helper == null) {
try {
md5Helper = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
throw new IllegalStateException();
}
}
String digestValue = username + ":" + realmName + ":"
+ getPassword(username);
byte[] digest =
md5Helper.digest(digestValue.getBytes());
return md5Encoder.encode(digest);
}
What about storing those digest values directly inside the password attributes of
tomcat-user.xml, e.g. using:
java org.apache.catalina.realm.RealmBase \
-a {algorithm} "{username}:{realm}:{cleartext-password}"
and first checking if a MessageDigest is available in RealmBase?
protected String getDigest(String username, String realmName) {
if (md5Helper == null) {
try {
md5Helper = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
throw new IllegalStateException();
}
}
if (hasMessageDigest()) {
return getPassword(username);
} else {
String digestValue = username + ":" + realmName + ":"
+ getPassword(username);
byte[] digest =
md5Helper.digest(digestValue.getBytes());
return md5Encoder.encode(digest);
}
}
Best regards,
Norbert Klose.
______________________________________________________________________________
FreeMail in der Premiumversion! Mit mehr Speicher, mehr Leistung, mehr
Erlebnis und mehr Prämie. Jetzt unter http://club.web.de/?mc=021105
RealmBase.java
Description: JavaScript source
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
