tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jalali, Alex" <>
Subject Digest Authenticator realm name is clear text right?
Date Thu, 10 Aug 2006 19:39:48 GMT
Hi, Is this is a bug with tomcat or adobe Acrobat in digest auth?
I have created an Authenticator extending the AuthenticatorBase. 
When I send this in the header:
>>> WWW-Authenticate: Digest realm="My realm name", qop="auth",
Other clients return something like this with realm name in clear text.
 >>> Authorization: Digest username="user", realm=""My realm name""
But adobe Acrobat (using its upload review tool to publish to a webdav
server) returns with a response header that has, I guess encrypted the
realm name like this
>>> Authorization: Digest username="user",
realm=""f6b755878fd52d631b890b"" .......
I looked at the AuthenticatorBase in different functions and it seems
that it expects the realm name to be plain text and doesn't check for
anything like this. in fact if it can not parse the realm name it uses
the server to get that. 
At the end the calculation comparing server digestValue with client do
not match.
So I guess my question is should tomcat check this in its Authenticator?
should it do anything if the realm name returned by the client does not
match that of what's on the server? or this is just a bug with acrobat?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message