tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Qin <>
Subject RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Date Thu, 07 Oct 2004 17:32:21 GMT
It's interesting you know. I read a book called "Professional Apache Tomcat"
published by Worx. In Chapter 16 Tomcat Security, the author says

- Not all browsers supported DIGEST authentication, so you can't gurantee
that all clients will be able to authenticate... Internet Explorer and
Knoqueror are two browsers that do support DIGEST authentication. Mozilla
1.0 claims to recognize the DIGEST request (0.9 doesn't even recognize
this), but can't authenticate.
- DIGEST authentication doesn't work if the passwords are digested on the
Tomcat side (so that they can't be read as cleartext) because of the way
that DIGEST mechanism calculates its digest. First of all the browser
calculates a digest of the username, the password, the URL, the HTTP method,
and a random string sent to it by the server. Likewise, the server creates a
digest to verify that the details entered by the user are correct. However,
as the password is already digested on the server, and thus completely
diferent from the cleartext version entered into the browser, the two
digests will be different, and authentication will fail...

-----Original Message-----
From: Phillip Qin [] 
Sent: October 7, 2004 1:17 PM
To: 'Tomcat Users List'
Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e

I don't think MD5+DIGEST will work. Take a look at any subclass of
RealmBase. Realm has nothing to do with web.xml attribute <login-config>. In
the authenticate method, Realm checks hasMessageDigest() - value of Realm
digest=. If hasMessageDigest, in your case =MD5, Realm digests the password
and compare it with the value stored in database.

-----Original Message-----
From: Shinobu Kawai [] 
Sent: October 7, 2004 12:51 PM
To: Tomcat Users List
Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e

Hi Phillip,

> Have you tried it based on the howto?
Here's what I tried: (All with o.a.c.r.MemoryRealm)
clear text + BASIC -> works!
clear text + DIGEST -> works!
MD5 digest + BASIC -> works!
SHA digest + BASIC -> works!
MD5 digest + DIGEST -> doesn't work!
SHA digest + DIGEST -> doesn't work!

Strangely, if I enter the digested password, it passes.

Best regards,
-- Shinobu Kawai

Shinobu Kawai <>

To unsubscribe, e-mail:
For additional commands, e-mail:


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message