RE: Secure MessageDigest Login using JSP

[Brett Knights]

And IE5 and Mozilla6 are supposed to support digest authentication so you might only need to implement something as a fallback (or if it is an intranet/extranet project specify only those browsers) Reading the rfc (rfc 2617) on digest authentication is a good idea if you are thinking of rolling you own.    HTH -----Original Message----- From: Brett Bergquist [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 24, 2001 7:13 PM To: [EMAIL PROTECTED] Subject: RE: Secure MessageDigest Login using JSP Ryan, I did something like this in my current project.  The currently supported authentication forms do not support this, but I needed it.  Since my application UI is Java Applet based, I was able to use the message digest API's in Java 2 to do this.  What I did is this: Modified all of my pages that I need to protect to see if the user is logged in and if not, forward the request to a Login JSP page, keeping track of the original request destination. Created a Login JSP page which contained a Login applet.  The Login applet provides an area for the user to enter the username and password.  I use this along with the session ID for the session and compute the digest hash.  The digest hash, username, and session ID is passed to a Login servlet using HTTP POST. Created a Login servlet which receives a digest hash, username, and session ID in its POST handler.  The session ID is validated against the current session.  The username is used to lookup the user authentication information is a database and retrieves the user's password.  I then compute the digest hash using the supplied username, session ID and the password lookup.  If this hash is the same as the one passed in the POST message, then the user is authenticated and logged in and redirected to the orignal request destination. I probably could have implemented an Interceptor or such to do this, but I was fairly new to Tomcat and this seemed the easiest way and as a side benefit it is not Tomcat specific.  The only real downside is having to protect each page individually.   If you are not using an applet on the client side, you could still compute an MD5 hash in Javascript and do something similar.   Hope this helps   Brett -----Original Message----- From: Ryan [mailto:[EMAIL PROTECTED]] Sent: Friday, February 23, 2001 7:57 PM To: [EMAIL PROTECTED] Subject: Secure MessageDigest Login using JSP Hello,       I want to be able to use the MessageDigest class to make a secure login to a jsp page.       Ultimately, I want the user to interact with a form and submit data entries into a mySQL database. This type of thing is very new to me and I was wondering if anyone could lead me to any good resources.   thanx -ryan