tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <j...@kewlstuff.co.za>
Subject Re: [tomcat]How to decrypt the DIGEST authentication?
Date Mon, 05 Nov 2007 07:26:00 GMT

---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---------------------------------------------------------------------------
----- Original Message ----- 
From: "zhongliang zhang" <zhangzhongl@msn.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, November 05, 2007 8:16 AM
Subject: RE: [tomcat]How to decrypt the DIGEST authentication?



thanks for your replying.
Now It works if I specify the alg with "MD5",but still does not work with 
"SHA".
and I do not know what does the middle field of 
"zhangzhongl:JDBCRealm:secret" means,that is,the "JDBCRealm",is it a 
unchangeable part?I do not think so,for the Tomcat docs give an example of 
"localhost:8080",but when I changed it to that,my app does not works.
=======================
Yes that is misleading
I think its picking it up from
<realm-name>JDBCRealm</realm-name>
in the web.xml file

The example in the documentation makes one think its picking up on the 
domain name... but its picking up on that setting
I think its because as convention realm-name is often the site domain name.

But that is good because I was thinking when you move it from 8080 you will 
have to change all the password hashes...
Luckily not... just get this setting right now...
<realm-name>JDBCRealm</realm-name>
in the web.xml file

You guys cracked it.... well done!

=======================
And further more,the application has the functions of modifying password and 
new a user,so I have to deal with the transport of these passwords,too.I 
planned to user javascript to encrypt the password at these situations,is it 
a way worth to try?
what about encrypting the password use javascript at the login page?is it 
safe?what I am afraid is someone get the 
RequestURL,username,password(encrypted),and he write an form,then he can 
login to my application.Is it possible for some badguy to do this?
I know the SSL communication is the best way,while the pity is that I am not 
allowed to use it.
thanks so much for helping me to solve this problem,it confused me for 
couple of days.
=======================
Oops ;)
Forget about making the actual communication secure... to work up those 
encryption algs in Javascript is near impossible.
But.... mmmmm thinking ;)
I think this will work.... ok

Find a MD5 alg for Javascript
The user must login and go to a secure page.... you pass up the realm-name 
to the Java script
It does...
MD5(UserName,Realm,Password) and send it to your servlet.
You put it in the dB.

It doesnt stop things like replay attacks and all that stuff, but the rest 
of your site is not secure anyway...
A Hash is a one way function so from that aspect, its as good as DIGEST.
ie, even if someonw see's the HASH... they still cannot guess the password..

SSL is better, but yes, this is probably as good as its going to get on an 
open site.
=======================
_________________________________________________________________
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message