tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Costello" <pe...@pcostello.com>
Subject Digest Authentication bug in org.apache.catalina.realm.RealmBase
Date Fri, 03 Jan 2003 22:07:57 GMT
I apologize in advance if I am sending this bug report/fix to the
wrong group or if the fix has already been implemented.

Using JDK1.3.01 and Tomcat 4.1.12, and sun.net.HttpURLConnection,
Digest Authentication does not work.  The sun.net.HttpURLConnection
class responds to WWW-Authenticate challenge with a Http Authorization
header that contains no 'nc', 'nonce' or 'qop' parameters. Although this
may not be very efficient, as best as I can tell from the spec, this is
a legal response.

org.apache.catalina.realm.RealmBase (line 373) calculates:
       String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
            + cnonce + ":" + qop + ":" + md5a2;

These null parameters get added to the string as ":null" and the MD5
encoded result 'serverDigest' does not match the 'clientDigest' and
authentication fails.

Replacing the 'serverDigestValue' with the following fixes the problem:
     	String serverDigestValue = md5a1 + ":" + nOnce;
	if (nc!=null) serverDigestValue += ":" + nc;
	if (cnonce!=null) serverDigestValue += ":" + cnonce;
	if (qop!=null) serverDigestValue += ":" + qop;
	serverDigestValue += ":" + md5a2;


==================================================================
To reproduce the problem:
	1) Start with a Tomcat 4.1.12 site with some pages requiring digest
authentication.
	   Assume username,password = "myName","myPassword"

	2) Define authenticator
		public class AuthImpl extends Authenticator {
			// Authentication Method
			protected PasswordAuthentication getPasswordAuthentication() {
				return new PasswordAuthentication("myName","myPassword".toCharArray());
			}
		}

	3) Access the pages with the following
		Authenticator.setDefault(new AuthImpl());
		URL url = new URL("http://localhost/foo.html");
		HttpURLConnection uc = url.openConnection();
		InputStream	in = uc.getInputStream();
		byte buf[] = new byte[4096];
		int readNum;
		while ((readNum=in.read(buf,0,4096))>0) {
			// if (out!=null) out.write(buf,0,readNum);
		}
		int status = ((HttpURLConnection)uc).getResponseCode();

	Authentication will fail until corrected as described above.


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message