Re: Valid values for digestEncoding attribute?
On 1/27/11 11:01 AM, Ing. Etienne V. Depasquale wrote: I beg pardon...I should have included the following extract from my context.xml file (with placeholders for database, user and password): Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver Are you really using such an old driver - I've got an internet archaeologist friend who'll want to look at this... What version of Tomcat/JVM do you have? connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5 digestEncoding=base64 / base64 is being rejected as a value for the digestEncoding attribute. That's not a valid value. The encoding, if I read the source correctly, should be UTF-8 or ISO-8859-1 or something similar. p Cheers, Etienne Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. Can anyone suggest a suitable reference? Cheers, Etienne - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Valid values for digestEncoding attribute?
Hello Pid :) Time is relative to environment I guess...so how old is old for you? I downloaded the jar file from MySQL's site about the middle of 2010 and the jar file structures the class under org/gjt/mm/mysql. As regards the encoding - right you are and wrong it is. I was misled by a posting on stackoverflow.com. The real problem lies in the fact that Tomcat does not specify any digest algorithm in the www-authenticate header of HTTP/1.1, which leads the browser to digest the password using MD5, regardless of the value of the digest attribute in the Realm tag. Cheers, Etienne -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 28 January 2011 09:40 To: Tomcat Users List Subject: Re: Valid values for digestEncoding attribute? On 1/27/11 11:01 AM, Ing. Etienne V. Depasquale wrote: I beg pardon...I should have included the following extract from my context.xml file (with placeholders for database, user and password): Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver Are you really using such an old driver - I've got an internet archaeologist friend who'll want to look at this... What version of Tomcat/JVM do you have? connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5 digestEncoding=base64 / base64 is being rejected as a value for the digestEncoding attribute. That's not a valid value. The encoding, if I read the source correctly, should be UTF-8 or ISO-8859-1 or something similar. p Cheers, Etienne Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. Can anyone suggest a suitable reference? Cheers, Etienne - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Valid values for digestEncoding attribute?
Yes, I am using DIGEST authentication. But what about the www-authenticate HTTP/1.1 header that Tomcat sends over to the browser? Is it ignored by any browser, simply defaulting to MD5? Cheers, Etienne -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 27 January 2011 22:56 To: Tomcat Users List Subject: Re: Valid values for digestEncoding attribute? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Etienne, Sure enough, when I reversed the saved password back to the MD5 hash, Tomcat authenticated my login, regardless of the SHA-1 attribute set in my Realm tag's digest attribute. Are you using DIGEST authentication? If so, all current web browsers only implement MD5 as the digest algorithm, since HTTP-AUTH-DIGEST doesn't provide any algorithm negotiation between the client and server. If you have a custom client, you may be able to use a different digest algorithm. Is this one application for programmatic authenticators as opposed to the default that ships with Tomcat? Not likely: Tomcat is configurable while most clients are not. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1B6ecACgkQ9CaO5/Lv0PAPkACfctQAY1P7fwdRGjIjhZi6QWwT 08YAoLPRaddCXJfJe/PGpwJ1OUZaNDpg =NKU1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Valid values for digestEncoding attribute?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Etienne, On 1/28/2011 7:59 AM, Ing. Etienne V. Depasquale wrote: Yes, I am using DIGEST authentication. But what about the www-authenticate HTTP/1.1 header that Tomcat sends over to the browser? Is it ignored by any browser, simply defaulting to MD5? I'm sorry, I misspoke. You're right: there is a way for the server to tell the client what kind of digest algorithm to use, but there is no /negotiation/: the server can't give the client a choice, and the client can't tell the server what algorithm it chose. The spec only defines MD5 as the default (and only choice for) algorithm so web browsers have only implemented MD5. If you can demonstrate that a web browser will use SHA-1 (which is, by the way, also a useless algorithm like MD5 these days), I'd be very happy to see it. I'm guessing that Firefox and Google Chrome are the only candidates for that kind of thing. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1C1I0ACgkQ9CaO5/Lv0PBo2wCeM8GswwNUimW/aQ2bJ/O4vOoW zooAn0uQTcu8D8gbb8TRklc0bmlvUXHl =Wong -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Valid values for digestEncoding attribute?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 1/28/2011 3:39 AM, Pid wrote: On 1/27/11 11:01 AM, Ing. Etienne V. Depasquale wrote: I beg pardon...I should have included the following extract from my context.xml file (with placeholders for database, user and password): Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver Are you really using such an old driver - I've got an internet archaeologist friend who'll want to look at this... FWIW, that class name is still valid, even on recent versions of the driver library. That's not a valid value. The encoding, if I read the source correctly, should be UTF-8 or ISO-8859-1 or something similar. +1 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1C1WMACgkQ9CaO5/Lv0PC4NwCcCEBk4oO9KShLX2qRWT4ikOLf Gx8AnRURe8LuOqnl/pFAf/LV/ZqObRmO =iuYj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Valid values for digestEncoding attribute?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Etienne, On 1/28/2011 7:55 AM, Ing. Etienne V. Depasquale wrote: The real problem lies in the fact that Tomcat does not specify any digest algorithm in the www-authenticate header of HTTP/1.1, which leads the browser to digest the password using MD5, regardless of the value of the digest attribute in the Realm tag. You should definitely log a bug in bugzilla for that: Tomcat should be sending the digest algorithm to the client for DIGEST authentication. Be sure you use a protocol analyzer to ensure that the WWW-Authenticate header doesn't contain the digest. Otherwise, you'll waste your time filing the bug only to have it marked as INVALID. Also, always test with the most recent version in your version line (you didn't say which you were using). Current versions are Tomcat 7.0.6, 6.0.30, and 5.5.31: http://tomcat.apache.org/whichversion.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1C1igACgkQ9CaO5/Lv0PDSBwCcDWdYZhmI1EGrMyKFnZg5Hq+d iLAAoKTUilFEIuAG3J8wO1P2dmwwqtXh =BX+3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Valid values for digestEncoding attribute?
Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. Can anyone suggest a suitable reference? Cheers, Etienne
Re: Valid values for digestEncoding attribute?
2011/1/27 Ing. Etienne V. Depasquale ed...@ieee.org: Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/realm/RealmBase.html says it is The encoding charset for the digest. -- note the charset word So ISO-8859-1 might be good? If not set (null) it defaults to the platform default charset. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Valid values for digestEncoding attribute?
I beg pardon...I should have included the following extract from my context.xml file (with placeholders for database, user and password): Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5 digestEncoding=base64 / base64 is being rejected as a value for the digestEncoding attribute. Cheers, Etienne Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. Can anyone suggest a suitable reference? Cheers, Etienne - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Valid values for digestEncoding attribute?
Thank-you Konstantin...I think I was misled by some postings I read while searching, that referred to specifying either hex or base64 in the realm configuration. This time, I left out the digestEncoding attribute altogether, reducing the Realm tag in context.xml to the following: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5/ The purpose underlying the question was to authenticate against my MySQL database. I was failing under the following conditions: Password digested at browser using SHA-1 Password stored in table as base64-encoded SHA-1 digest I succeeded under the following conditions: Password digested at browser using MD5 Password stored in table as MD5 digest without encoding Now I just need to find out which of the modifications fixed my fault. Cheers, Etienne -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 27 January 2011 11:56 To: Tomcat Users List; ed...@ieee.org Subject: Re: Valid values for digestEncoding attribute? 2011/1/27 Ing. Etienne V. Depasquale ed...@ieee.org: Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/realm/RealmB ase.html says it is The encoding charset for the digest. -- note the charset word So ISO-8859-1 might be good? If not set (null) it defaults to the platform default charset. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Valid values for digestEncoding attribute?
The problem lies in the use of digest=SHA-1 in the Realm configuration. I modified the stored password by hashing it using SHA-1 as well as modifying the attribute, but authentication fails. Summarising: I have the following configuration: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=SHA-1/ and the SHA-1 hash of user name:realm name:password stored in my users table ...but I don't have authentication. According to http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardN ames.html#MessageDigest, SHA-1 is a valid algorithm name, so I'm having some trouble spotting the fault here. It seems to be the encoding of the password as stored in the database as Tomcat isn't throwing any exceptions or logging anything. Cheers, Etienne Thank-you Konstantin...I think I was misled by some postings I read while searching, that referred to specifying either hex or base64 in the realm configuration. This time, I left out the digestEncoding attribute altogether, reducing the Realm tag in context.xml to the following: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5/ The purpose underlying the question was to authenticate against my MySQL database. I was failing under the following conditions: Password digested at browser using SHA-1 Password stored in table as base64-encoded SHA-1 digest I succeeded under the following conditions: Password digested at browser using MD5 Password stored in table as MD5 digest without encoding Now I just need to find out which of the modifications fixed my fault. Cheers, Etienne -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 27 January 2011 11:56 To: Tomcat Users List; ed...@ieee.org Subject: Re: Valid values for digestEncoding attribute? 2011/1/27 Ing. Etienne V. Depasquale ed...@ieee.org: Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/realm/RealmB ase.html says it is The encoding charset for the digest. -- note the charset word So ISO-8859-1 might be good? If not set (null) it defaults to the platform default charset. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Valid values for digestEncoding attribute?
It seems that this issue was addressed in past questions to the list: http://mail-archives.apache.org/mod_mbox/tomcat-users/200503.mbox/%3C4241A94 d.5040...@cox.net%3E Sure enough, when I reversed the saved password back to the MD5 hash, Tomcat authenticated my login, regardless of the SHA-1 attribute set in my Realm tag's digest attribute. Is this one application for programmatic authenticators as opposed to the default that ships with Tomcat? Cheers, Etienne The problem lies in the use of digest=SHA-1 in the Realm configuration. I modified the stored password by hashing it using SHA-1 as well as modifying the attribute, but authentication fails. Summarising: I have the following configuration: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=SHA-1/ and the SHA-1 hash of user name:realm name:password stored in my users table ...but I don't have authentication. According to http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardN ames.html#MessageDigest, SHA-1 is a valid algorithm name, so I'm having some trouble spotting the fault here. It seems to be the encoding of the password as stored in the database as Tomcat isn't throwing any exceptions or logging anything. Cheers, Etienne Thank-you Konstantin...I think I was misled by some postings I read while searching, that referred to specifying either hex or base64 in the realm configuration. This time, I left out the digestEncoding attribute altogether, reducing the Realm tag in context.xml to the following: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/databasename?user=usernameam p;password=userpassword userTable=users userNameCol=id userCredCol=passwd userRoleTable=userroles roleNameCol=role digest=MD5/ The purpose underlying the question was to authenticate against my MySQL database. I was failing under the following conditions: Password digested at browser using SHA-1 Password stored in table as base64-encoded SHA-1 digest I succeeded under the following conditions: Password digested at browser using MD5 Password stored in table as MD5 digest without encoding Now I just need to find out which of the modifications fixed my fault. Cheers, Etienne -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 27 January 2011 11:56 To: Tomcat Users List; ed...@ieee.org Subject: Re: Valid values for digestEncoding attribute? 2011/1/27 Ing. Etienne V. Depasquale ed...@ieee.org: Good day, I am unable to identify valid values for the digestEncoding attribute to use with the Realm tag of my app's context.xml file. I've inspected RealmBase.java and JDBCRealm.java, apart from some googling, without finding anything suitable. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/realm/RealmB ase.html says it is The encoding charset for the digest. -- note the charset word So ISO-8859-1 might be good? If not set (null) it defaults to the platform default charset. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Valid values for digestEncoding attribute?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Etienne, Sure enough, when I reversed the saved password back to the MD5 hash, Tomcat authenticated my login, regardless of the SHA-1 attribute set in my Realm tag's digest attribute. Are you using DIGEST authentication? If so, all current web browsers only implement MD5 as the digest algorithm, since HTTP-AUTH-DIGEST doesn't provide any algorithm negotiation between the client and server. If you have a custom client, you may be able to use a different digest algorithm. Is this one application for programmatic authenticators as opposed to the default that ships with Tomcat? Not likely: Tomcat is configurable while most clients are not. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1B6ecACgkQ9CaO5/Lv0PAPkACfctQAY1P7fwdRGjIjhZi6QWwT 08YAoLPRaddCXJfJe/PGpwJ1OUZaNDpg =NKU1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
