tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Www-authenticate ...
Date Wed, 23 Dec 2009 16:49:35 GMT
Hash: SHA1

On 12/21/2009 7:34 AM, André Warnier wrote:
> insi wrote:
>> Hi,
>> My tomcat server is sending www-authenticate (digest) header but the
>> header
>> doesn't contain the algorithm field, which one is choosen by default?
> MD5
>> How do I specify it to use particular algorithm (sha1/md5)?
> In short, you can't.
> See HTTP 2616 and 2617.

Note that the default is MD5, as specified in RFC 2617, section 3.2.1.

     A string indicating a pair of algorithms used to produce the digest
     and a checksum. If this is not present it is assumed to be "MD5".
     If the algorithm is not understood, the challenge should be ignored
     (and a different one used, if there is more than one).

The Wikipedia article for HTTP Auth basically asserts that HTTP Auth is,
by definition, to use MD5.

Apache httpd's mod_auth_digest allows one of two algorithms to be used:
MD5 and MD5-sess, with the latter being unimplemented.

The servlet specification actually makes DIGEST authentication optional
for spec0compliant containers, which is interesting. There is also no
(standard) way to configure the algorithm for DIGEST authentication.
Tomcat allows you to do it using the "digest" attribute of the <Realm>

Note that the documentation erroneously enumerates the supported
algorithms as MD2, MD5, and SHA, though all algorithms supported by the
JVM are actually allowed (unless "SHA" referrs to all SHA-n varieties).
In my Java 1.6 environment, I have the following available: MD2, MD5,
SHA(1), SHA-256, SHA-384, and SHA-512. I'm surprised that RIPEMD-160
isn't supported. :(

The spec itself mentions only MD5, although there doesn't seem to be a
reason that an arbitrary cryptographic hashing algorithm couldn't be
substituted for MD5. I would guess that, since the spec doesn't mention
anything other than MD5, nobody has ever bothered to implement anything
beyond that.

> Theoretically, you could, via the optional "Authentication-Info" header
> indicated in RFC2617. But in the practice, to my knowledge, browsers
> support only Digest with MD5, so it doesn't really help.

Authentication-Info is only provided after the authentication has
occurred, so this isn't appropriate for choosing an authentication
digest algorithm :)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message