tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <j...@kewlstuff.co.za>
Subject Re: [tomcat]How to decrypt the DIGEST authentication?
Date Fri, 02 Nov 2007 11:49:04 GMT

---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---------------------------------------------------------------------------

Zhong, havnt been following this, so shoot my wife if this is stupid...

I dont think you can do what you want to...
I dont think you can use web based DIGEST authentication.
And then hide passwords in a MD5 digest as well.

I think web based DIGEST authentication, MUST get at the plain text 
password.
If you change that to BASIC, THEN you can MD5 the plain text password.

DIGEST on the web is better though....

This is not a Tomcat problem, its just the way DIGEST works....
The browser taks the PASSWORD + Some Random stuff and gets a HASH from that.

That process has to be repeated on the server, and SHA(Password) + plus some 
random stuff NOT EQUAL to browser...
I think it has to be a plain text password... unless TC does something 
unbelievable...

Have to choose.... its just the way web security works ;(



----- Original Message ----- 
From: "zhongliang zhang" <zhangzhongl@msn.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Friday, November 02, 2007 3:14 AM
Subject: RE: [tomcat]How to decrypt the DIGEST authentication?


Hi,Mark,
I have to turn to you again.
I encounter the problem with configuring the Digested-Password in the 
JDBCRealm.
The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as 
followed:
<Realm  className="org.apache.catalina.realm.JDBCRealm" 
driverName="com.mysql.jdbc.Driver" 
connectionURL="jdbc:mysql://localhost/test"           connectionName="root" 
connectionPassword="root"           userTable="users" 
userNameCol="user_name" userCredCol="user_pass" 
userRoleTable="user_roles" roleNameCol="role_name" />
and in the $TOMCAT_HOME/conf/web.xml,I did the following 
security-constraint:
<security-constraint> <web-resource-collection> 
<web-resource-name>all</web-resource-name>  <url-pattern>/*</url-pattern>

</web-resource-collection> <auth-constraint> 
<role-name>customized</role-name> 
</auth-constraint></security-constraint><login-config> 
<auth-method>DIGEST</auth-method> 
<realm-name>JDBCRealm</realm-name></login-config>
it works with mysql database which is just for testing.Now in my database 
table users,I insert a record:
user_name:zhangzhongl
user_pass:zhangzhongl
and in the database table,I insert a record:
role_name:customized
username:zhangzhongl
So,it works before I added the digest attribute to the <Realm> element with 
value "SHA" or "MD5".
After I added the digest attribute,I copied the tomcat-juli.jar from 
$TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up,
after I entered the username zhangzhongl and clear-text password(Now,in the 
database,I stored the password with SHA encrypted form),it does now 
work,which means I can not enter the tomcat welcome page.

I do not know what the reason is.
Please do me a favor.
thanks so much!> > 
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords> > 
Mark> 
 > ---------------------------------------------------------------------> To 
start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: 
users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: 
users-help@tomcat.apache.org>
_________________________________________________________________
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message