-----Original Message----- From: Koes, Derrick Sent: Tuesday, November 05, 2002 6:43 PM To: 'Tomcat Users List' Subject: RE: digest authentication or <auth-method>DIGEST</auth-method>
I think what is really happening is that the realm is handling the digesting to do the password "match". Setting auth-method to DIGEST probably tries to handle encryption up front, not delaying it until (plain text until then) the realm code. What encryption algorithm is used if you select <auth-method> DIGEST? What if all your passwords are SHA-1? Derrick -----Original Message----- From: Frank Balluffi [mailto:frank.balluffi@;db.com] Sent: Tuesday, November 05, 2002 6:25 PM To: Tomcat Users List Subject: RE: digest authentication or <auth-method>DIGEST</auth-method> Jake, Because tomcat-users.xml only contains the digested password (it does not contain the string "password") and I am able to authenticate by entering the password "password" into IE's dialog box, I assume that the digested password is being sent. What surprised me was that web.xml's auth-method needed to be set to BASIC, not DIGEST. That said, I do not see much advantage in using digest authentication over basic authentication. Frank Jacob Kjome <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> cc: 11/05/2002 04:18 Subject: RE: digest authentication or <auth-method>DIGEST</auth-method> PM Please respond to "Tomcat Users List" Am I missing something? If you use BASIC auth, wouldn't your password now be completely plain text....or are you sending your MD5 hashed password instead of "password". I guess if that is the case then your password would be safe, but who can remember a password such as "5f4dcc3b5aa765d61d8327deb882cf99". There's got to be a better way to set things up than that. Jake At 03:25 PM 11/5/2002 -0500, you wrote: >Derrick, > >You are correct. Is this a bug or is this the way it is supposed to work? >Thanks! > >Frank > > > > > > "Koes, > Derrick" > > <Derrick.Koes@smith- To: "'Tomcat > Users List'" <[EMAIL PROTECTED]> > nephew.com> cc: > > Subject: RE: digest > authentication or <auth-method>DIGEST</auth-method> > 11/05/2002 01:29 > PM > > Please respond > to > > "Tomcat Users > List" > > > > > > > > > > > >Leave the <auth-method> in the web.xml as BASIC. > > >-----Original Message----- >From: Frank Balluffi [mailto:frank.balluffi@;db.com] >Sent: Monday, November 04, 2002 6:01 PM >To: [EMAIL PROTECTED] >Subject: digest authentication or <auth-method>DIGEST</auth-method> > >I am able to successfully configure Tomcat 4.1.12 to use basic >authentication and access a servlet from IE 5.5. conf/server.xml contains: > > <Realm className = "org.apache.catalina.realm.MemoryRealm" > pathname = "conf/tomcat-users.xml" /> > >conf/tomcat-users.xml contains: > > <role rolename="myapp"/> > <user username="frank" password="password" roles="myapp"/> > >myapp/WEB-INF/web.xml contains: > ><web-app> > <display-name>My Application</display-name> > <description>My Application</description> > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> > <security-constraint> > <web-resource-collection> > <web-resource-name>My Application</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>myapp</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>My Application</realm-name> > </login-config> > <security-role> > <role-name>myapp</role-name> > </security-role> ></web-app> > >When IE prompts me for the user name and password, I enter "frank" and >"password" and the servlet successfully runs. > >When I attempt to configure Tomcat to use digest authentication (and restart >Tomcat), weird things happen. conf/server.xml contains: > > <Realm className = "org.apache.catalina.realm.MemoryRealm" > digest = "MD5" > pathname = "conf/tomcat-users.xml" /> > >conf/tomcat-users.xml contains: > > <role rolename="myapp"/> > <user username="frank" password="5f4dcc3b5aa765d61d8327deb882cf99" >roles="myapp"/> > >I used the following command to MD5 digest the password "password" [without >the double quotes]: > >C:\jakarta-tomcat-4.1.12\server\lib>java org.apache.catalina.realm.RealmBase >-a MD5 password >password:5f4dcc3b5aa765d61d8327deb882cf99 > >myapp/WEB-INF/web.xml contains: > ><web-app> > <display-name>My Application</display-name> > <description>My Application</description> > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> > <security-constraint> > <web-resource-collection> > <web-resource-name>My Application</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>myapp</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>DIGEST</auth-method> > > <!-- The memory realm defined in /conf/server.xml contains > no name. Doesthe realm-name value refer to some other > configuration value. --> > > <realm-name>My Application</realm-name> > </login-config> > <security-role> > <role-name>myapp</role-name> > </security-role> ></web-app> > >If I enter the user name and password "frank" and "password" into IE, >authentication fails. But if I enter "frank" and >"5f4dcc3b5aa765d61d8327deb882cf99", authentication succeeds. I expected >"frank" and "password" to work. > >The log file for myapp shows the following: > >2002-11-04 17:51:40 WebappLoader[/myapp]: Deploying class repositories to >work directory C:\jakarta-tomcat-4.1.12\work\Standalone\localhost\myapp >2002-11-04 17:51:40 WebappLoader[/myapp]: Deploy class files >/WEB-INF/classes to >C:\jakarta-tomcat-4.1.12\bin\..\webapps\myapp\WEB-INF\classes >2002-11-04 17:51:40 WebappLoader[/myapp]: Reloading checks are enabled for >this Context >2002-11-04 17:51:41 ContextConfig[/myapp]: Configured an authenticator for >method DIGEST >2002-11-04 17:51:41 StandardManager[/myapp]: Seeding random number generator >class java.security.SecureRandom >2002-11-04 17:51:41 StandardManager[/myapp]: Seeding of random number >generator has been completed >2002-11-04 17:51:41 StandardWrapper[/myapp:default]: Loading container >servlet default >2002-11-04 17:51:41 StandardWrapper[/myapp:invoker]: Loading container >servlet invoker > >Am I doing something wrong? Do I not understand digest authentication? Any >ideas? Thanks. > >Frank > > >-- > >This e-mail may contain confidential and/or privileged information. If you >are not the intended recipient (or have received this e-mail in error) >please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this >e-mail is strictly forbidden. > > > >-- >To unsubscribe, e-mail: ><mailto:tomcat-user-unsubscribe@;jakarta.apache.org> >For additional commands, e-mail: ><mailto:tomcat-user-help@;jakarta.apache.org> >This electronic transmission is strictly confidential to Smith & Nephew and >intended solely for the addressee. It may contain information which is >covered by legal, professional or other privilege. If you are not the >intended addressee, or someone authorized by the intended addressee to >receive transmissions on behalf of the addressee, you must not retain, >disclose in any form, copy or take any action in reliance on this >transmission. If you have received this transmission in error, please >notify the sender as soon as possible and destroy this message. > >-- >To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > >-- > >This e-mail may contain confidential and/or privileged information. If you >are not the intended recipient (or have received this e-mail in error) >please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this >e-mail is strictly forbidden. > > > >-- >To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> This electronic transmission is strictly confidential to Smith & Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> This electronic transmission is strictly confidential to Smith & Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
