tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52515] New: Digest auth specifically requires digested passwords to hashed with MD5
Date Tue, 24 Jan 2012 11:27:38 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52515

             Bug #: 52515
           Summary: Digest auth specifically requires digested passwords
                    to hashed with MD5
           Product: Tomcat 7
           Version: unspecified
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: djpowell@djpowell.net
    Classification: Unclassified


Re:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords


The documentation says:

"If using digested passwords with DIGEST authentication, the cleartext used to
generate the digest is different. In the examples above {cleartext-password}
must be replaced with {username}:{realm}:{cleartext-password}."


The documentation does not mention the fact that when using HTTP Digest Auth
with digested passwords, you MUST use the MD5 algorithm to digest the
passwords.

When the authentication is performed, the digest algorithm specified for the
realm is ignored, and MD5 is always used, so if SHA has been used,
authentication will fail.


(Would it be appropriate to log a warning if it is detected that Digest Auth is
being used and the Realm's digest algorithm is something other than MD5...?)

-- 
Dave

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message