Thorsten,
On 11/16/22 02:36, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:17 schrieben Sie:
You should double-check the definition of "compliant to CIS
benchmark spec" because there is no way in hell that HTTP DIGEST is
required.[...]
The spec
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:17 schrieben Sie:
> You should double-check the definition of "compliant to CIS
> benchmark spec" because there is no way in hell that HTTP DIGEST is
> required.[...]
The spec doesn't tell me exactly to use auth-method DIGEST, bu
Thorsten,
On 11/15/22 15:29, Thorsten Schöning wrote:
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 20:44 schrieben Sie:
Assuming digesting passwords with one round of MD5 and no salt
isn't acceptable (I'd be surprised if it was) then you are probably
looking at HTTPS + BASIC + PBKD
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 20:44 schrieben Sie:
> Assuming digesting passwords with one round of MD5 and no salt
> isn't acceptable (I'd be surprised if it was) then you are probably
> looking at HTTPS + BASIC + PBKDF2WithHmacSHA512.
Thanks for that clarification, it
Sorry, you are correct. There is no way to use PBKDF2WithHmacSHA512 in a
Realm along with HTTP DIGEST auth.
If you want to use HTTP DIGEST auth and digested passwords on the server
you have to use, quoting the Tomcat docs, "one iteration of the MD5
algorithm with no salt".
RFC 7616 has added
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 18:36 schrieben Sie:
> Please go and read my email - and the links I provided - again.
I did, so feel free to tell me how I tell my browser to use my
plain-text password as PBKDF2WithHmacSHA512 digest with 10
iterations, a key length of
On 15/11/2022 17:07, Thorsten Schöning wrote:
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 12:51 schrieben Sie:
In short, the digested value you save as the user credential is one
of the inputs the client uses when calculating the value to use in
the authorization header.[...]
My
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 12:51 schrieben Sie:
> In short, the digested value you save as the user credential is one
> of the inputs the client uses when calculating the value to use in
> the authorization header.[...]
My client is a browser and that asks me for pla
On 15/11/2022 10:20, Thorsten Schöning wrote:
So, is it even possible to use SecretKeyCredentialHandler and
auth-method DIGEST together or am I required to use BASIC? If DIGEST
is supported, how does that and credential helper work together
without plain-text password available at the server a
Hi everyone,
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark compliant and that requires to not store
plain-text passwords. So consider the following user database and
credential helper
10 matches
Mail list logo