Return-Path: 
 <tomcat-dev-return-27054-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 79641 invoked by uid 500); 7 Sep 2001 15:34:25 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 79615 invoked from network); 7 Sep 2001 15:34:24 -0000
Date: Fri, 7 Sep 2001 08:38:01 -0700 (PDT)
From: <cmanolache@yahoo.com>
X-X-Sender: <costin@manolache.eng.sun.com>
To: <tomcat-dev@jakarta.apache.org>
Subject: Re: Digest authentication in Tomcat?
In-Reply-To: <005701c1377a$450703f0$8e00a8c0@pegasusii>
Message-ID: <Pine.LNX.4.33.0109070829120.24088-100000@manolache.eng.sun.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: localhost.apache.org 1.6.2 0/1000/N

Hi Attila,

Tomcat 3.x standalone doesn't support digest auth. If you can contribute
code - it would be great.

I'm presonally more interested in making sure Apache/IIS/NES is well
integrated and allows the real server do the authentication - but I know
few people who love tomcat standalone :-).

Given the timeframe ( we're late in beta ), I'm not sure we can add the
digest support in the 'standard' release of 3.3 ( and less likely in a
bugfix release of 3.2.x ), however it would be an excelent candidate for
an 'independent' module.

In 3.3 we tried to make it easy to add modules ( and all the
functionality is implemented in modules ), it's just like adding a
webapplication. The idea is to reduce the pressure on the official
release, reduce the 'featurism', keep tomcat simple, etc.


Costin


On Fri, 7 Sep 2001, Attila Szegedi wrote:

> Hi!
>
> If I see correctly (after testing for it and browsing source extensively),
> the 3.2 product line of Tomcat does not support the Digest authentication
> scheme (RFC 2069). Could you confirm this? Also, please let me know if 3.3
> or 4.0 support Digest.
>
> In case they don't, I'm ready to provide an implementation (in fact, I
> already started working on it). The issue is a bit tricky as right now all
> available Realm implementations (the SimpleRealm and the JDBCRealm) assume
> the password can be extracted from the request, and this is (fortunately!)
> not true for Digest. I have an elegant idea for working around it, however I
> wouldn't like to reinvent the wheel, so please let me know if this is
> already done.
>
> NB: I need Digest so that I can have a fully compliant WebDAV service, since
> the page 78 of RFC 2518 clearly states that "WebDAV applications MUST
> support the Digest authentication scheme". In face of this, the Tomcat's
> peer project Slide can also not achieve full WebDAV compliance if it lacks
> Digest authentication.
>
> Cheers,
>   Attila.
>
>