Digest Authentication bug in org.apache.catalina.realm.RealmBase

Fri, 03 Jan 2003 17:18:35 -0800 

I apologize in advance if I am sending this bug report/fix to the
wrong group or if the fix has already been implemented.

Using JDK1.3.01 and Tomcat 4.1.12, and sun.net.HttpURLConnection,
Digest Authentication does not work.  The sun.net.HttpURLConnection
class responds to WWW-Authenticate challenge with a Http Authorization
header that contains no 'nc', 'nonce' or 'qop' parameters. Although this
may not be very efficient, as best as I can tell from the spec, this is
a legal response.

org.apache.catalina.realm.RealmBase (line 373) calculates:
       String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
            + cnonce + ":" + qop + ":" + md5a2;

These null parameters get added to the string as ":null" and the MD5
encoded result 'serverDigest' does not match the 'clientDigest' and
authentication fails.

Replacing the 'serverDigestValue' with the following fixes the problem:
        String serverDigestValue = md5a1 + ":" + nOnce;
        if (nc!=null) serverDigestValue += ":" + nc;
        if (cnonce!=null) serverDigestValue += ":" + cnonce;
        if (qop!=null) serverDigestValue += ":" + qop;
        serverDigestValue += ":" + md5a2;


==================================================================
To reproduce the problem:
        1) Start with a Tomcat 4.1.12 site with some pages requiring digest
authentication.
           Assume username,password = "myName","myPassword"

        2) Define authenticator
                public class AuthImpl extends Authenticator {
                        // Authentication Method
                        protected PasswordAuthentication getPasswordAuthentication() {
                                return new 
PasswordAuthentication("myName","myPassword".toCharArray());
                        }
                }

        3) Access the pages with the following
                Authenticator.setDefault(new AuthImpl());
                URL url = new URL("http://localhost/foo.html";);
                HttpURLConnection uc = url.openConnection();
                InputStream     in = uc.getInputStream();
                byte buf[] = new byte[4096];
                int readNum;
                while ((readNum=in.read(buf,0,4096))>0) {
                        // if (out!=null) out.write(buf,0,readNum);
                }
                int status = ((HttpURLConnection)uc).getResponseCode();

        Authentication will fail until corrected as described above.


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to