tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jalali, Alex" <>
Subject RE: Digest Authenticator realm name is clear text right?
Date Fri, 11 Aug 2006 19:05:21 GMT
Actually I tracked down everywhere and it truns out that the problem is
in parsing the username and the rest of the stuff in the header inside
findPrincipal() method of DigestAuthenticator class.

Given the authorization header is: Digest
username="user",realm=""f6b755878fd52d631b890b"" .......

The method returns null. Because it parses the username to -->
user",realm=""f6b755878fd52d631b890b"" .......
And so there are no more tokens and the rest of the stuff is set to -->
null and the method returns null.

The bug fix in this method is doing that. and that is because of the
double quote in the realm=""bla bala"" I'm guessing. which is ok for it
to have double quote per RFC....

When I changed this method back to the way it used to parse the header,
everything workes fine. 

I know this bug fix is trying to fix a special case where the url
contains ,?= etc but it is not concedering the double quote in the realm
name maybe??? I don't know too much about regular expressions to fix
this. so I'm just using the old code. I also don't have permission add
code to re-open this bug or send a fix. Do you have permission to
re-open and add this note?

protected static Principal findPrincipal(Request request,
                                             String authorization,
                                             Realm realm) {

        //System.out.println("Authorization token : " + authorization);
        // Validate the authorization credentials format
        if (authorization == null)
            return (null);
        if (!authorization.startsWith("Digest "))
            return (null);
        authorization = authorization.substring(7).trim();

        // Bugzilla 37132:
       String[] tokens =

 String userName = null;
        String realmName = null;
        String nOnce = null;
        String nc = null;
        String cnonce = null;
        String qop = null;
        String uri = null;
        String response = null;
        String method = request.getMethod();

        for (int i = 0; i < tokens.length; i++) {
            String currentToken = tokens[i];
            if (currentToken.length() == 0)

            int equalSign = currentToken.indexOf('=');
            if (equalSign < 0)
                return null;
            String currentTokenName =
                currentToken.substring(0, equalSign).trim();
            String currentTokenValue =
                currentToken.substring(equalSign + 1).trim();
            if ("username".equals(currentTokenName))
                userName = removeQuotes(currentTokenValue);
            if ("realm".equals(currentTokenName))
                realmName = removeQuotes(currentTokenValue, true);
            if ("nonce".equals(currentTokenName))
                nOnce = removeQuotes(currentTokenValue);
            if ("nc".equals(currentTokenName))
                nc = removeQuotes(currentTokenValue);
            if ("cnonce".equals(currentTokenName))
                cnonce = removeQuotes(currentTokenValue);
            if ("qop".equals(currentTokenName))
                qop = removeQuotes(currentTokenValue);
            if ("uri".equals(currentTokenName))
                uri = removeQuotes(currentTokenValue);
            if ("response".equals(currentTokenName))
                response = removeQuotes(currentTokenValue);

        if ( (userName == null) || (realmName == null) || (nOnce ==
             || (uri == null) || (response == null) )
            return null;

        // Second MD5 digest used to calculate the digest :
        // MD5(Method + ":" + uri)
        String a2 = method + ":" + uri;
        //System.out.println("A2:" + a2);

        byte[] buffer = null;
        synchronized (md5Helper) {
            buffer = md5Helper.digest(a2.getBytes());
        String md5a2 = md5Encoder.encode(buffer);

        return (realm.authenticate(userName, response, nOnce, nc,
cnonce, qop,
                                   realmName, md5a2));


 the realm has two qoutes "" which is ok but the

-----Original Message-----
From: Tino Schwarze [] 
Sent: Friday, August 11, 2006 8:46 AM
Subject: Re: Digest Authenticator realm name is clear text right?

On Thu, Aug 10, 2006 at 12:39:48PM -0700, Jalali, Alex wrote:
> Hi, Is this is a bug with tomcat or adobe Acrobat in digest auth?

I suppose neither. The real is clear text.

> But adobe Acrobat (using its upload review tool to publish to a webdav
> server) returns with a response header that has, I guess encrypted the

> realm name like this
> >>> Authorization: Digest username="user",
> realm=""f6b755878fd52d631b890b"" .......

I suppose(!) that they are just sending a random value (looks like an
MD5 of something). It ensures that the browser will prompt for a
password every time.

But this is just a wild guess.



To unsubscribe, e-mail: For additional
commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message