tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: [tomcat]How to decrypt the DIGEST authentication?
Date Sun, 04 Nov 2007 18:24:57 GMT
Mark Thomas wrote:
> Johnny Kewl wrote:
>> I dont think you can do what you want to...
>> I dont think you can use web based DIGEST authentication.
>> And then hide passwords in a MD5 digest as well.
> Yes you can.
>> I think web based DIGEST authentication, MUST get at the plain text
>> password.
> No.
>> That process has to be repeated on the server, and SHA(Password) + plus
>> some random stuff NOT EQUAL to browser...
>> I think it has to be a plain text password... unless TC does something
>> unbelievable...
> Not unbelievable. Just plain cold logic. The use of DIGEST auth and
> digested passwords are 100% independent.

Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
for details.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message