Re: [tomcat]How to decrypt the DIGEST authentication?
Johnny Kewl wrote: I dont think you can do what you want to... I dont think you can use web based DIGEST authentication. And then hide passwords in a MD5 digest as well. Yes you can. I think web based DIGEST authentication, MUST get at the plain text password. No. That process has to be repeated on the server, and SHA(Password) + plus some random stuff NOT EQUAL to browser... I think it has to be a plain text password... unless TC does something unbelievable... Not unbelievable. Just plain cold logic. The use of DIGEST auth and digested passwords are 100% independent. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
Mark Thomas wrote: Johnny Kewl wrote: I dont think you can do what you want to... I dont think you can use web based DIGEST authentication. And then hide passwords in a MD5 digest as well. Yes you can. I think web based DIGEST authentication, MUST get at the plain text password. No. That process has to be repeated on the server, and SHA(Password) + plus some random stuff NOT EQUAL to browser... I think it has to be a plain text password... unless TC does something unbelievable... Not unbelievable. Just plain cold logic. The use of DIGEST auth and digested passwords are 100% independent. Sorry. I mis-spoke. They are not totally independent. If you use DIGEST auth *and* digested passwords then you have to calculate the password to put in your tomcat-users.xml/database/etc differently. See http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords for details. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote:
Hi,Mark,
I have to turn to you again.
I encounter the problem with configuring the Digested-Password in the
JDBCRealm.
The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as
followed:
Realm className=org.apache.catalina.realm.JDBCRealm
driverName=com.mysql.jdbc.Driver
connectionURL=jdbc:mysql://localhost/test connectionName=root
connectionPassword=root userTable=users userNameCol=user_name
userCredCol=user_pass userRoleTable=user_roles
roleNameCol=role_name /
and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint:
security-constraint web-resource-collection
web-resource-nameall/web-resource-name url-pattern/*/url-pattern
/web-resource-collection auth-constraint
role-namecustomized/role-name
/auth-constraint/security-constraintlogin-config
auth-methodDIGEST/auth-method
realm-nameJDBCRealm/realm-name/login-config
it works with mysql database which is just for testing.Now in my database
table users,I insert a record:
user_name:zhangzhongl
user_pass:zhangzhongl
and in the database table,I insert a record:
role_name:customized
username:zhangzhongl
So,it works before I added the digest attribute to the Realm element with
value SHA or MD5.
OK, so far so good. DIGEST auth is working with cleartext passwords stored
in the database.
After I added the digest attribute,
I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then
start up,
Not sure why you needed to do this.
after I entered the username zhangzhongl and clear-text password
(Now,in the database,I stored the password with SHA encrypted form),
it does now work,which means I can not enter the tomcat welcome page.
I assume you mean it doesn't work here. OK. The important thing is how you
generated the SHA encrypted password. To use DIGEST *and* digested
passwords you need to do:
java org.apache.catalina.realm.RealmBase -a {algorithm}
{username}:{realm}:{cleartext-password}
For you example, assuming a password of secret:
java org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm:secret
Note this should all be on the same line.
Full details at
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
HTH,
Mark
I do not know what the reason is.
Please do me a favor.
thanks so much!
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
Mark
- To
start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail:
[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks very much for all your replying. But I can not make it works. I store the password in HexUtils.convert(byte[]) method to store the password in my Oracle database. And I configure the Tomcat JDBCRealm with the digest attribute. And I do a test with MySQL database,for it is small and easy. I store the MD5 password in the password field of users table. for example,The user's password is password and the MD5 stype password is 3c3b3206267dd4d2039822b76749380(fake data). Then,I entered my application,the dialog popup,I entered the username and password,while it does not work. I do not know why. can anybody help me? with a example app is more helpful. thanks for all your kind-hearted reply. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Hi, It still does not work. Here is the trace: I create the SHA1 password from the command prompt: C:\tomcatjava org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm :secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 C:\tomcatjava org.apache.catalina.realm.RealmBase -a SHA zhangzhongl:JDBCRealm: secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 So,I change the password of user zhangzhongl to 0743d07d727aae8864569cbcefb9ae788150e8b9,and add the digest attribute to JDBCRealm element which has a value of SHA. Start the cat,and enter the http://localhost:8080/,the dialog popup,and I enter zhangzhongl secret as the username password,which made me feel upset is I can not enter the welcome page. I do not know what is the reason,and I try to get some info from the logs,but no logs can provide some useful information for this. If possible,could you do me a favor to send me a simple sample application for test and get this problem solved? thank you so much! _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
---
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---
- Original Message -
From: Mark Thomas [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Sunday, November 04, 2007 8:24 PM
Subject: Re: [tomcat]How to decrypt the DIGEST authentication?
Mark Thomas wrote:
Johnny Kewl wrote:
I dont think you can do what you want to...
I dont think you can use web based DIGEST authentication.
And then hide passwords in a MD5 digest as well.
Yes you can.
I think web based DIGEST authentication, MUST get at the plain text
password.
No.
That process has to be repeated on the server, and SHA(Password) + plus
some random stuff NOT EQUAL to browser...
I think it has to be a plain text password... unless TC does something
unbelievable...
Not unbelievable. Just plain cold logic. The use of DIGEST auth and
digested passwords are 100% independent.
Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
for details.
No Problem... I'm surprized it can even be done...
The digest spec has random vectors, so it means TC is using domain and
username as those.
--
If using digested passwords with DIGEST authentication, the cleartext used
to generate the digest is different. In the examples above
{cleartext-password} must be replaced with
{username}:{realm}:{cleartext-password}. For example, in a development
environment this might take the form testUser:localhost:8080:testPassword.
---
I was wrong... it can be done ;)
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- - Original Message - From: zhongliang zhang [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, November 05, 2007 5:28 AM Subject: RE: [tomcat]How to decrypt the DIGEST authentication? Hi, It still does not work. Here is the trace: I create the SHA1 password from the command prompt: C:\tomcatjava org.apache.catalina.realm.RealmBase -a SHA1 zhangzhongl:JDBCRealm :secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 C:\tomcatjava org.apache.catalina.realm.RealmBase -a SHA zhangzhongl:JDBCRealm: secret zhangzhongl:JDBCRealm:secret:0743d07d727aae8864569cbcefb9ae788150e8b9 So,I change the password of user zhangzhongl to 0743d07d727aae8864569cbcefb9ae788150e8b9,and add the digest attribute to JDBCRealm element which has a value of SHA. == Hi Zhang, As Mark pointed out it can be done. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords But they want you to make tha HASH like this testUser:localhost:8080:testPassword AND even though the Realm side is giving you a choice of HASH, I have a feeling that TC probably uses MD5 on the Security constraint side I dont know where auth-methodDIGEST/auth-method actually lets one choose the HASH so I think its MD5 So I THINK MD5(zhangzhongl:localhost:8080:thePassword) will make the right hash... maybe ;) ie you must make the HASH of all that stuff together, not just the password. Start the cat,and enter the http://localhost:8080/,the dialog popup,and I enter zhangzhongl secret as the username password,which made me feel upset is I can not enter the welcome page. I do not know what is the reason,and I try to get some info from the logs,but no logs can provide some useful information for this. If possible,could you do me a favor to send me a simple sample application for test and get this problem solved? thank you so much! _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks for your replying. Now It works if I specify the alg with MD5,but still does not work with SHA. and I do not know what does the middle field of zhangzhongl:JDBCRealm:secret means,that is,the JDBCRealm,is it a unchangeable part?I do not think so,for the Tomcat docs give an example of localhost:8080,but when I changed it to that,my app does not works. And further more,the application has the functions of modifying password and new a user,so I have to deal with the transport of these passwords,too.I planned to user javascript to encrypt the password at these situations,is it a way worth to try? what about encrypting the password use javascript at the login page?is it safe?what I am afraid is someone get the RequestURL,username,password(encrypted),and he write an form,then he can login to my application.Is it possible for some badguy to do this? I know the SSL communication is the best way,while the pity is that I am not allowed to use it. thanks so much for helping me to solve this problem,it confused me for couple of days. _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- Just a note... The way you are doing it, makes it difficult for normal people to get into the site, but a top calss hacker will get into your site unless you use SSL. The big advantage of using DIGEST as you have done, is yes in makes normal people PAY to get info, but the main thing is that often users will use the same password they use to logon at work. ie their microsoft password and thats where DIGEST is very good. So you giving your site a little protection, but more important, is you stopping a hacker from getting into everything else that use does like their bank account. If this application has critical information moving over the wire... what you are doing is no good :( Have fun. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool pojo application server --- Zhong, havnt been following this, so shoot my wife if this is stupid... I dont think you can do what you want to... I dont think you can use web based DIGEST authentication. And then hide passwords in a MD5 digest as well. I think web based DIGEST authentication, MUST get at the plain text password. If you change that to BASIC, THEN you can MD5 the plain text password. DIGEST on the web is better though This is not a Tomcat problem, its just the way DIGEST works The browser taks the PASSWORD + Some Random stuff and gets a HASH from that. That process has to be repeated on the server, and SHA(Password) + plus some random stuff NOT EQUAL to browser... I think it has to be a plain text password... unless TC does something unbelievable... Have to choose its just the way web security works ;( - Original Message - From: zhongliang zhang [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, November 02, 2007 3:14 AM Subject: RE: [tomcat]How to decrypt the DIGEST authentication? Hi,Mark, I have to turn to you again. I encounter the problem with configuring the Digested-Password in the JDBCRealm. The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as followed: Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost/test connectionName=root connectionPassword=root userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint: security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namecustomized/role-name /auth-constraint/security-constraintlogin-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name/login-config it works with mysql database which is just for testing.Now in my database table users,I insert a record: user_name:zhangzhongl user_pass:zhangzhongl and in the database table,I insert a record: role_name:customized username:zhangzhongl So,it works before I added the digest attribute to the Realm element with value SHA or MD5. After I added the digest attribute,I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up, after I entered the username zhangzhongl and clear-text password(Now,in the database,I stored the password with SHA encrypted form),it does now work,which means I can not enter the tomcat welcome page. I do not know what the reason is. Please do me a favor. thanks so much! http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: Thanks a lot.I think I got another way to solve the group hierarchical problem,but I am not sure about it. maybe you can help me to confirm it:I wrote the SQL as followed:create or replace view groupview asselect usertable.username, decode(usertable.locked,0,'Authorizers','UnAuthorizers') as groupnamefrom usertablewhere in the usertable there is a field named locked that indicates whether the user is locked. so now I can allow everyone in the database to login to the system if the user is Authorizers,and I judge the user's role.The reason I do so is because there are existed API for doing all these and there are more than thousand users in the database,though the userid and groupid never be the same.Now I got another problem,the password stored in the database is encrypted,which is a common way,but the encrypting method is not using some sql script but SHA.So,How can I parse the clear-text that I input to SHA password and then compare with that sto red in the database? Is there a way that I can capture the clear-text password and using SHA to encode it then compare it with the password stored in the database? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Thank you very much for all your reply. I think because of the time-zone between us,while I am in China,we do not have the same online time. so I replied late. I will try that way to specify the digest element. thanks a lot. I do not know whether that feature works well with Tomcat 5.5,if so,I can use it,or I have to make sure that my system can migrate to Tomcat 6.0. thanks again for your kindness. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE
RE: [tomcat]How to decrypt the DIGEST authentication?
Hi,Mark, I have to turn to you again. I encounter the problem with configuring the Digested-Password in the JDBCRealm. The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as followed: Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost/test connectionName=root connectionPassword=root userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / and in the $TOMCAT_HOME/conf/web.xml,I did the following security-constraint: security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namecustomized/role-name /auth-constraint/security-constraintlogin-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name/login-config it works with mysql database which is just for testing.Now in my database table users,I insert a record: user_name:zhangzhongl user_pass:zhangzhongl and in the database table,I insert a record: role_name:customized username:zhangzhongl So,it works before I added the digest attribute to the Realm element with value SHA or MD5. After I added the digest attribute,I copied the tomcat-juli.jar from $TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up, after I entered the username zhangzhongl and clear-text password(Now,in the database,I stored the password with SHA encrypted form),it does now work,which means I can not enter the tomcat welcome page. I do not know what the reason is. Please do me a favor. thanks so much! http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: But the application allows creating new group,how do I solve this problem? What problem? You need to say what the problem is if we are going to be able to help. web.xml doesn't support the dynamic addition of new groups. Further, the Realm doesn't understand the concept of hierarchical groups. Only the member of group administrators have access to the adminitrative page,and other groups,like groupA,groupB,... the member of which only have rights to login to the common page.so in the web.xml,I configure like the following: security-constraintweb-resource-collection web-resource-nameall/web-resource-name url-pattern/admin/url-pattern/web-resource-collection auth-constraint role-nameAdministrators/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/common/url-pattern/web-resource-collection auth-constraint role-name??/role-name/auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config How should I configure the ?? part? and further more,It has a inherency relationship between groups, If Administrators group contains groupA,then the members of groupA have the administrative privilege,too. That means a group's member can be either a group or a user.In the former situation,It does a tree-search to check whether a user belongs to the Administrators group,now,if I use a configuration file,how did I do this check? There is, however, a way around this. It should be OK for small (few thousand groups and users) but it might not scale very well. The SQL below is non-optimal but it should give you the idea. Use role-nameNon-Administrators/role-name for the common area. You'll need to modify your server-side SQL some. Again, I don't have an Oracle instance to test with so I am going from memory / Google. The syntax may not be quite right. This assumes that your groupids are never the same as your userids. CREATE or REPLACE VIEW vAdminGroups AS SELECT groupid FROM grouptable START WITH groupname='Administrators' CONNECT BY PRIOR userid=groupid; CREATE or REPLACE VIEW vAdminUsers AS SELECT u.userid as userid, username, 'Administrators' as groupname FROM usertable u, vAdminGroups g WHERE u.userid = g.userid; CREATE or REPLACE VIEW vNonAdminUsers AS SELECT username, 'NonAdministrators' as groupname FROM usertable WHERE userid NOT IN (SELECT userid from vAdminUsers); CREATE or REPLACE VIEW vUserRole AS SELECT * FROM vAdminUsers UNION SELECT * FROM vNonAdminUsers; Hope this helps. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Thanks a lot.I think I got another way to solve the group hierarchical problem,but I am not sure about it. maybe you can help me to confirm it:I wrote the SQL as followed:create or replace view groupview asselect usertable.username, decode(usertable.locked,0,'Authorizers','UnAuthorizers') as groupnamefrom usertablewhere in the usertable there is a field named locked that indicates whether the user is locked. so now I can allow everyone in the database to login to the system if the user is Authorizers,and I judge the user's role.The reason I do so is because there are existed API for doing all these and there are more than thousand users in the database,though the userid and groupid never be the same.Now I got another problem,the password stored in the database is encrypted,which is a common way,but the encrypting method is not using some sql script but SHA.So,How can I parse the clear-text that I input to SHA password and then compare with that stored in the database? Is there a way that I can capture the clear-text password and using SHA to encode it then compare it with the password stored in the database? thanks in advance! Date: Wed, 31 Oct 2007 10:51:42 + From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: [tomcat]How to decrypt the DIGEST authentication? zhongliang zhang wrote: But the application allows creating new group,how do I solve this problem? What problem? You need to say what the problem is if we are going to be able to help. web.xml doesn't support the dynamic addition of new groups. Further, the Realm doesn't understand the concept of hierarchical groups. Only the member of group administrators have access to the adminitrative page,and other groups,like groupA,groupB,... the member of which only have rights to login to the common page.so in the web.xml,I configure like the following: security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/admin/url-pattern /web-resource-collection auth-constraint role-nameAdministrators/role-name /auth-constraint /security-constraint s ecurity-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/common/url-pattern /web-resource-collection auth-constraint role-name??/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-configHow should I configure the ?? part? and further more,It has a inherency relationship between groups, If Administrators group contains groupA,then the members of groupA have the administrative privilege,too. That means a group's member can be either a group or a user.In the former situation,It does a tree-search to check whether a user belongs to the Administrators group,now,if I use a configuration file,how did I do this check? There is, however, a way around this. It should be OK for small (few thousand groups and users) but it might not scale very well. The SQL below is non-optimal but it should give you the i dea. Use role-nameNon-Administrators/role-name for the common area. You'll need to modify your server-side SQL some. Again, I don't have an Oracle instance to test with so I am going from memory / Google. The syntax may not be quite right. This assumes that your groupids are never the same as your userids. CREATE or REPLACE VIEW vAdminGroups AS SELECT groupid FROM grouptable START WITH groupname='Administrators' CONNECT BY PRIOR userid=groupid; CREATE or REPLACE VIEW vAdminUsers AS SELECT u.userid as userid, username, 'Administrators' as groupname FROM usertable u, vAdminGroups g WHERE u.userid = g.userid; CREATE or REPLACE VIEW vNonAdminUsers AS SELECT username, 'NonAdministrators' as groupname FROM usertable WHERE userid NOT IN (SELECT userid from vAdminUsers); CREATE or REPLACE VIEW vUserRole AS SELECT * FROM vAdminUsers UNION SELECT * FROM vNonAdminUsers; Hope this helps. Mark -- --- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: [tomcat]How to decrypt the DIGEST authentication?
Hi, Digest authentication involves multiple MD5s including the username, password, url, realm, random data... Believe me when I tell you that there is no way that you will get the password from the digest (in fact, it was designed this way so this is not feasible.) For your original question, you may want to check this http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html Regards, lg On Oct 30, 2007 1:50 AM, zhongliang zhang [EMAIL PROTECTED] wrote: Hi,everyone, I got a problem with the DIGEST authentication. I configured my web.xml as followed: security-constraint web-resource-collection web-resource-nameapp/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namepoweruser/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameapp/realm-name /login-config So,if anybody try to access my app,he needs to input his username and password,while the username and password are stored in the Oracle database,not configured in the tomcat-users.xml file which located at $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml for the app has an function of make a new user. Is there anyway to solve this problem? P.S. I tried to solve it by coding in my program,like adding the following code to set the response's status to ask for DIGEST authentication. ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); But I do not get a way to decryt the DIGEST information. Any advice will be appreciated! thanks. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
I checked the url that you supplied to me and expecially the JDBCRealm part,for I have stored the username and password in a relational database. So,what I need to do is: 1.build the users table and the roles table. 2.configure the org.apache.catalina.realm.JDBCRealm 3.put the oracle jdbc driver at $tomcat.home/common/lib 4.configure the web.xml of my application as following fragment: security-constraintweb-resource-collectionweb-resource-nameapp/web-resource-nameurl-pattern/*/url-pattern/web-resource-collectionauth-constraintrole-namepoweruser/role-name/auth-constraint/security-constraintlogin-configauth-methodDIGEST/auth-methodrealm-nameapp/realm-name/login-config (What is the realm-name element mean? The JDBCRealm that I just configured?) then the username and password that client input will be sent to the server encrypted? thanks in advance! Date: Tue, 30 Oct 2007 04:13:01 -0300 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: [tomcat]How to decrypt the DIGEST authentication? Hi, Digest authentication involves multiple MD5s including the username, password, url, realm, random data... Believe me when I tell you that there is no way that you will get the password from the digest (in fact, it was designed this way so this is not feasible.) For your original question, you may want to check this http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html Regards, lg On Oct 30, 2007 1:50 AM, zhongliang zhang [EMAIL PROTECTED] wrote: Hi,everyone, I got a problem with the DIGEST authentication. I configured my web.xml as followed: security-constraint web-resource-collection web-resource-nameapp/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namepoweruser/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameapp/realm-name /login-config So,if anybody try to access my app,he needs to input his username and password,while the username and password are stored in the Oracle database,not configured in the tomcat-users.xml file which located at $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml for the app has an function of make a new user. Is there anyway to solve this problem? P.S. I tried to solve it by coding in my program,like adding the following code to set the response's status to ask for DIGEST authentication. ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); But I do not get a way to decryt the DIGEST information. Any advice will be appreciated! thanks. _ News, entertainment and everything you care about at Live.com. Ge t it now! http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: I checked the url that you supplied to me and expecially the JDBCRealm part,for I have stored the username and password in a relational database. So,what I need to do is: 1.build the users table and the roles table. 2.configure the org.apache.catalina.realm.JDBCRealm 3.put the oracle jdbc driver at $tomcat.home/common/lib 4.configure the web.xml of my application as following fragment: security-constraintweb-resource-collectionweb-resource-nameapp/web-resource-nameurl-pattern/*/url-pattern/web-resource-collectionauth-constraintrole-namepoweruser/role-name/auth-constraint/security-constraintlogin-configauth-methodDIGEST/auth-methodrealm-nameapp/realm-name/login-config (What is the realm-name element mean? The JDBCRealm that I just configured?) It can be whatever you want it to be. then the username and password that client input will be sent to the server encrypted? Yes. You haven't yet said what the problem is or what isn't working. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
Think about it the other way around. User types cleartext password, tomcat's authentication digests it and then compares with what is on the database. So when they change the password you need to capture the password in cleartext, digest it yourself, then store it. You don't need to decrypt it, you actually need to ENCRYPT (ie digest) it. take a look at: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html specifically: If you are writing an application that needs to calculate digested passwords dynamically, call the static |Digest()| method of the |org.apache.catalina.realm.RealmBase| class, passing the cleartext password and the digest algorithm name as arguments. This method will return the digested password. Roger zhongliang zhang wrote: Hi,everyone, I got a problem with the DIGEST authentication. I configured my web.xml as followed: security-constraint web-resource-collection web-resource-nameapp/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namepoweruser/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameapp/realm-name /login-config So,if anybody try to access my app,he needs to input his username and password,while the username and password are stored in the Oracle database,not configured in the tomcat-users.xml file which located at $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml for the app has an function of make a new user. Is there anyway to solve this problem? P.S. I tried to solve it by coding in my program,like adding the following code to set the response's status to ask for DIGEST authentication. ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); But I do not get a way to decryt the DIGEST information. Any advice will be appreciated! thanks. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roger, Roger Parkinson wrote: Think about it the other way around. User types cleartext password, tomcat's authentication digests it and then compares with what is on the database. They're talking about HTTP Auth, not Realms and stuff like that. You are talking about using a crypto digest of passwords in a database. HTTP DIGEST is different from that: http://en.wikipedia.org/wiki/Digest_access_authentication Unfortunately, when using DIGEST authentication, the server either needs to store the cleartext password or be very careful about retaining special information that is relevant to DIGEST auth. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ7Ej9CaO5/Lv0PARAitzAJwPmlCeKlMvZmFa+v7YfJX0XAW2KgCgkiK/ w/GERCvz4C4LArHnlQDKbJ8= =eYNx -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
Thanks a lot for everyone's reply. I use the JDBCRealm and I store the users information and roles information in the database,such as Oracle. then in my application set the security part in the web.xml,which has an auth-method with DIGEST. So,the username and password that the user input in the remote client with an browser will be digested,and sent to the server side. Is that right? Date: Tue, 30 Oct 2007 18:33:08 -0400 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: [tomcat]How to decrypt the DIGEST authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roger, Roger Parkinson wrote: Think about it the other way around. User types cleartext password, tomcat's authentication digests it and then compares with what is on the database. They're talking about HTTP Auth, not Realms and stuff like that. You are talking about using a crypto digest of passwords in a database. HTTP DIGEST is different from that: http://en.wikipedia.org/wiki/Digest_access_authentication Unfortunately, when using DIGEST authentication, the server either needs to store the cleartext password or be very careful about retaining special information that is relevant to DIGEST auth. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev. org iD8DBQFHJ7Ej9CaO5/Lv0PARAitzAJwPmlCeKlMvZmFa+v7YfJX0XAW2KgCgkiK/ w/GERCvz4C4LArHnlQDKbJ8= =eYNx -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: Thanks a lot for everyone's reply. I use the JDBCRealm and I store the users information and roles information in the database,such as Oracle. then in my application set the security part in the web.xml,which has an auth-method with DIGEST. So,the username and password that the user input in the remote client with an browser will be digested,and sent to the server side. Is that right? Yes. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: In the database(Oracle),the tables I used are usertable and grouptable,the association table of them is groupmembertable: usertable has columns of userid,username and password grouptable has columns of groupid,groupname groupmembertable has columns of groupid,userid How do I configure the JDBCRealm in the server.xml of Tomcat? what should be put in the userRoleTable and roleNameCol in this situation? First off, you'll need to create a view as the JDBCRealm requires the user role table to contain names, not IDs. Something like (I don't have an Oracle instance to check my syntax) CREATE or REPLACE VIEW vUserRole AS SELECT username, groupname FROM usertable u, grouptable g, groupmembertable m WHERE u.userid=m.userid and g.groupid=m.groupid Then your realm would be: Realm ... roleNameCol=groupname userCredCol=password userNameCol=username userRoleTable=vUserRole userTable=usertable / and if I want all the user,regardless of its group,can login to my application,what should I set in the web.xml in the following element:role-nameadmin/role-name set to *? No. The special role * means all roles defined in your application, not all authenticated users. You'll have to create an all users group, assign it to every user and then use that in your web.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks a lot for your assuring. I got another question to turn to you. In the database(Oracle),the tables I used are usertable and grouptable,the association table of them is groupmembertable: usertable has columns of userid,username and password grouptable has columns of groupid,groupname groupmembertable has columns of groupid,userid How do I configure the JDBCRealm in the server.xml of Tomcat? Realm userTable=users userNameCol=user_name userCredCol=user_passuserRoleTable=user_roles roleNameCol=role_name / what should be put in the userRoleTable and roleNameCol in this situation? and if I want all the user,regardless of its group,can login to my application,what should I set in the web.xml in the following element:role-nameadmin/role-name set to *? thanks in advance for your kindness! Date: Wed, 31 Oct 2007 01:01:04 + From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: [tomcat]How to decrypt the DIGEST authentication? zhongliang zhang wrote: Thanks a lot for everyone's reply. I use the JDBCRealm and I store the users information and roles information in the database,such as Oracle. then in my application set the security part in the web.xml,which has an auth-method with DIGEST. So,the username and password that the user input in the remote client with an browser will be digested,and sent to the server side. Is that right? Yes. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
RE: [tomcat]How to decrypt the DIGEST authentication?
thanks a lot. In fact,I want just one group's user named Administrators can get access to the administrative page,which can do some privileged operation.The common users can get access to the common user page,they have limited privileged operation. So,should I configure numbers of security-constraint elements in my web.xml? But the application allows creating new group,how do I solve this problem?In the former situation,I got a login form and a filter to do this,now,I think I do not need an login form,does the filter still can work for the role-check? Or is there any mechanism just needs configuration,not coding? thanks a lot for your patience! Date: Wed, 31 Oct 2007 01:47:27 + From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: [tomcat]How to decrypt the DIGEST authentication? zhongliang zhang wrote: In the database(Oracle),the tables I used are usertable and grouptable,the association table of them is groupmembertable: usertable has columns of userid,username and password grouptable has columns of groupid,groupname groupmembertable has columns of groupid,userid How do I configure the JDBCRealm in the server.xml of Tomcat? what should be put in the userRoleTable and roleNameCol in this situation? First off, you'll need to create a view as the JDBCRealm requires the user role table to contain names, not IDs. Something like (I don't have an Oracle instance to check my syntax) CREATE or REPLACE VIEW vUserRole AS SELECT username, groupname FROM usertable u, grouptable g, groupmembertable m WHERE u.userid=m.userid and g.groupid=m.groupid Then your realm would be: Realm ... roleNameCol=groupname userCredCol=password userNameCol=username userRoleTable=vUserRole userTable=usertable / and if I want all the user,regardless of its group,can login to my application,what should I set in the web.xml in the following element:role-nameadmin/role-name set to *? No. The special role * means all roles defined in your application, not all authenticated users. You'll have to create an all users group, assign it to every user and then use that in your web.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: [tomcat]How to decrypt the DIGEST authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, Mark Thomas wrote: The special role * means all roles defined in your application, not all authenticated users. You'll have to create an all users group, assign it to every user and then use that in your web.xml I think it is more precise to say that * means any role defined in your application, not just any authenticated user. The * must match /something/ -- it cannot match /nothing/. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ+ul9CaO5/Lv0PARAgllAJ0YuuEuQd7VC9R9Q1b0jkbZ9l5gwACgt7Az EK5KD/D7HdYvveRijqzWpLk= =DbcU -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat]How to decrypt the DIGEST authentication?
But the application allows creating new group,how do I solve this problem? What problem? You need to say what the problem is if we are going to be able to help. Only the member of group administrators have access to the adminitrative page,and other groups,like groupA,groupB,... the member of which only have rights to login to the common page.so in the web.xml,I configure like the following: security-constraintweb-resource-collection web-resource-nameall/web-resource-name url-pattern/admin/url-pattern/web-resource-collection auth-constraint role-nameAdministrators/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/common/url-pattern/web-resource-collection auth-constraint role-name??/role-name/auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config How should I configure the ?? part? and further more,It has a inherency relationship between groups, If Administrators group contains groupA,then the members of groupA have the administrative privilege,too. That means a group's member can be either a group or a user.In the former situation,It does a tree-search to check whether a user belongs to the Administrators group,now,if I use a configuration file,how did I do this check? Thanks a lot. Your advice has already give me very good instructions. _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: [tomcat]How to decrypt the DIGEST authentication?
zhongliang zhang wrote: thanks a lot. In fact,I want just one group's user named Administrators can get access to the administrative page,which can do some privileged operation.The common users can get access to the common user page,they have limited privileged operation. So,should I configure numbers of security-constraint elements in my web.xml? Yes. But the application allows creating new group,how do I solve this problem? What problem? You need to say what the problem is if we are going to be able to help. In the former situation,I got a login form and a filter to do this, now,I think I do not need an login form, It isn't clear to what form situation you are referring. If you use DIGEST authentication you do not need a login form. does the filter still can work for the role-check? Or is there any mechanism just needs configuration,not coding? Neither do you need a filter. Tomcat will do all this for you with a correctly configured web.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[tomcat]How to decrypt the DIGEST authentication?
Hi,everyone, I got a problem with the DIGEST authentication. I configured my web.xml as followed: security-constraint web-resource-collection web-resource-nameapp/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namepoweruser/role-name /auth-constraint /security-constraint login-config auth-methodDIGEST/auth-method realm-nameapp/realm-name /login-config So,if anybody try to access my app,he needs to input his username and password,while the username and password are stored in the Oracle database,not configured in the tomcat-users.xml file which located at $tomcat_home/conf/ directory. I can not configure it in the tomcat-users.xml for the app has an function of make a new user. Is there anyway to solve this problem? P.S. I tried to solve it by coding in my program,like adding the following code to set the response's status to ask for DIGEST authentication. ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); But I do not get a way to decryt the DIGEST information. Any advice will be appreciated! thanks. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
