tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Knights" <>
Subject RE: Secure MessageDigest Login using JSP
Date Sun, 25 Feb 2001 14:48:59 GMT
And IE5 and Mozilla6 are supposed to support digest authentication so you might only need to
implement something as a fallback (or
if it is an intranet/extranet project specify only those browsers)
Reading the rfc (rfc 2617) on digest authentication is a good idea if you are thinking of
rolling you own.

  -----Original Message-----
  From: Brett Bergquist []
  Sent: Saturday, February 24, 2001 7:13 PM
  Subject: RE: Secure MessageDigest Login using JSP

  Ryan, I did something like this in my current project.  The currently supported authentication
forms do not support this, but I
needed it.  Since my application UI is Java Applet based, I was able to use the message digest
API's in Java 2 to do this.  What I
did is this:
    a.. Modified all of my pages that I need to protect to see if the user is logged in and
if not, forward the request to a Login
JSP page, keeping track of the original request destination.
    b.. Created a Login JSP page which contained a Login applet.  The Login applet provides
an area for the user to enter the
username and password.  I use this along with the session ID for the session and compute the
digest hash.  The digest hash,
username, and session ID is passed to a Login servlet using HTTP POST.
    c.. Created a Login servlet which receives a digest hash, username, and session ID in
its POST handler.  The session ID is
validated against the current session.  The username is used to lookup the user authentication
information is a database and
retrieves the user's password.  I then compute the digest hash using the supplied username,
session ID and the password lookup.  If
this hash is the same as the one passed in the POST message, then the user is authenticated
and logged in and redirected to the
orignal request destination.
  I probably could have implemented an Interceptor or such to do this, but I was fairly new
to Tomcat and this seemed the easiest
way and as a side benefit it is not Tomcat specific.  The only real downside is having to
protect each page individually.

  If you are not using an applet on the client side, you could still compute an MD5 hash in
Javascript and do something similar.

  Hope this helps

    -----Original Message-----
    From: Ryan []
    Sent: Friday, February 23, 2001 7:57 PM
    Subject: Secure MessageDigest Login using JSP


        I want to be able to use the MessageDigest class to make a secure login to a jsp page.

        Ultimately, I want the user to interact with a form and submit data entries into a
mySQL database. This type of thing is
very new to me and I was wondering if anyone could lead me to any good resources.


View raw message