tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [tomcat]How to decrypt the DIGEST authentication?
Date Sun, 04 Nov 2007 18:24:57 GMT
Mark Thomas wrote:
> Johnny Kewl wrote:
>> I dont think you can do what you want to...
>> I dont think you can use web based DIGEST authentication.
>> And then hide passwords in a MD5 digest as well.
> 
> Yes you can.
> 
>> I think web based DIGEST authentication, MUST get at the plain text
>> password.
> 
> No.
> 
>> That process has to be repeated on the server, and SHA(Password) + plus
>> some random stuff NOT EQUAL to browser...
>> I think it has to be a plain text password... unless TC does something
>> unbelievable...
> 
> Not unbelievable. Just plain cold logic. The use of DIGEST auth and
> digested passwords are 100% independent.

Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
for details.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message