tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <j...@kewlstuff.co.za>
Subject Re: [tomcat]How to decrypt the DIGEST authentication?
Date Mon, 05 Nov 2007 05:02:14 GMT

---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---------------------------------------------------------------------------
----- Original Message ----- 
From: "Mark Thomas" <markt@apache.org>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, November 04, 2007 8:24 PM
Subject: Re: [tomcat]How to decrypt the DIGEST authentication?


> Mark Thomas wrote:
>> Johnny Kewl wrote:
>>> I dont think you can do what you want to...
>>> I dont think you can use web based DIGEST authentication.
>>> And then hide passwords in a MD5 digest as well.
>>
>> Yes you can.
>>
>>> I think web based DIGEST authentication, MUST get at the plain text
>>> password.
>>
>> No.
>>
>>> That process has to be repeated on the server, and SHA(Password) + plus
>>> some random stuff NOT EQUAL to browser...
>>> I think it has to be a plain text password... unless TC does something
>>> unbelievable...
>>
>> Not unbelievable. Just plain cold logic. The use of DIGEST auth and
>> digested passwords are 100% independent.
>
> Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
> auth *and* digested passwords then you have to calculate the password to
> put in your tomcat-users.xml/database/etc differently. See
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
> for details.

No Problem... I'm surprized it can even be done...
The digest spec has random vectors, so it means TC is using domain and 
username as those.
--------------
If using digested passwords with DIGEST authentication, the cleartext used 
to generate the digest is different. In the examples above 
{cleartext-password} must be replaced with 
{username}:{realm}:{cleartext-password}. For example, in a development 
environment this might take the form testUser:localhost:8080:testPassword.
---------------
I was wrong... it can be done ;)






> Mark
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message