Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Thorsten, On 11/16/22 02:36, Thorsten Schöning wrote: Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:17 schrieben Sie: You should double-check the definition of "compliant to CIS benchmark spec" because there is no way in hell that HTTP DIGEST is required.[...] The spec

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:17 schrieben Sie: > You should double-check the definition of "compliant to CIS > benchmark spec" because there is no way in hell that HTTP DIGEST is > required.[...] The spec doesn't tell me exactly to use auth-method DIGEST,

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Thorsten, On 11/15/22 15:29, Thorsten Schöning wrote: Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 20:44 schrieben Sie: Assuming digesting passwords with one round of MD5 and no salt isn't acceptable (I'd be surprised if it was) then you are probably looking at HTTPS + BASIC +

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 20:44 schrieben Sie: > Assuming digesting passwords with one round of MD5 and no salt > isn't acceptable (I'd be surprised if it was) then you are probably > looking at HTTPS + BASIC + PBKDF2WithHmacSHA512. Thanks for that clarification,

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Sorry, you are correct. There is no way to use PBKDF2WithHmacSHA512 in a Realm along with HTTP DIGEST auth. If you want to use HTTP DIGEST auth and digested passwords on the server you have to use, quoting the Tomcat docs, "one iteration of the MD5 algorithm with no salt". RFC 7616 has

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 18:36 schrieben Sie: > Please go and read my email - and the links I provided - again. I did, so feel free to tell me how I tell my browser to use my plain-text password as PBKDF2WithHmacSHA512 digest with 10 iterations, a key length

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

On 15/11/2022 17:07, Thorsten Schöning wrote: Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 12:51 schrieben Sie: In short, the digested value you save as the user credential is one of the inputs the client uses when calculating the value to use in the authorization header.[...] My

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 12:51 schrieben Sie: > In short, the digested value you save as the user credential is one > of the inputs the client uses when calculating the value to use in > the authorization header.[...] My client is a browser and that asks me for

Re: How do auth-method BASIC and DIGEST play together with some credential helper?

On 15/11/2022 10:20, Thorsten Schöning wrote: So, is it even possible to use SecretKeyCredentialHandler and auth-method DIGEST together or am I required to use BASIC? If DIGEST is supported, how does that and credential helper work together without plain-text password available at the server

How do auth-method BASIC and DIGEST play together with some credential helper?

Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to not store plain-text passwords. So consider the following user database and credential