Thank you Mark. DIGEST, and in Tomcat 9 (not 11). Not sure if 9 vs 11 matters.
Sure enough, I missed “algorithms” attribute in <valve>. Having that config for ~15 years and then having things start to fail led me down the wrong path it seem. I did 3 things wrong: - just did not see “algorithms” in the <valve> docs - “algorithm” vs “algorithms” in the <valve> - algorithm=“MD5” in MessageDigestCredentialHandler. Whose code looks to be incapable of handling both algorithms eg getPassword() omits the algorithm so there is no way to know except in getDigest() Lloyd > On Dec 13, 2024, at 02:23:38, Mark Thomas <ma...@apache.org> wrote: > > On 13/12/2024 00:39, DIGLLOYD wrote: >> ISSUE: users cannot login to my site. >> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 >> (Safari uses MD5 which is working fine) >> >> Details: >> - Tomcat 9.0.98 >> - DIGEST auth using MD5 >> - has been working for 15+ years just fine. >> - have read all available Tomcat docs, searched web for answers, etc. >> >> Debugging so far: >> >> Custom Realm in use purpose of managing auth info, but it otherwise defers >> to org.apache.catalina.realm.RealmBase. >> CredentialHandler: eg <CredentialHandler >> className="org.apache.catalina.realm.MessageDigestCredentialHandler" >> algorithm="MD5" /> > > So you have DIGEST authentication with digested credentials. > > That will work as long as DIGEST authentication uses the same digest as > the credentials. In this case: MD5. > > By default, Tomcat advertises support for both SHA-256 and MD5 with > DIGEST authentication. Browsers should choose SHA-256 given those > options. To change that, you need to set the algorithms attribute for > the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5. > > https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve > > Note the comment in the introduction to that section. > > Mark > > >> >> By instrumenting this realm, I have determined the following: >> >> - Firefox and Chrome are sending SHA-256 DIGEST to my server, which is >> using MD5. Guaranteed failure since wrong digest. >> - Safari is sending MD5, which works fine >> - Realm uses standard >> >> Thoughts: >> >> I would have thought that Tomcat would be replying to a client by >> advertising the correct algorithm. >> >> Possibilities: >> 1. Tomcat is not properly advising the client that MD5 is required. >> 2. The spec is somehow deficient so that client and server do not know what >> is required. >> 3. The clients (Firefox and Chrome) are doing it wrong. >> 4. Something needs to be configured that I have not configured. >> >> Lloyd Chambers >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
