tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Www-authenticate ...
Date Thu, 24 Dec 2009 02:18:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 12/23/2009 2:13 PM, Mark Thomas wrote:
> On 23/12/2009 16:49, Christopher Schultz wrote:
>> The servlet specification actually makes DIGEST authentication optional
>> for spec0compliant containers, which is interesting. There is also no
>> (standard) way to configure the algorithm for DIGEST authentication.
>> Tomcat allows you to do it using the "digest" attribute of the <Realm>
>> element.
>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
> 
> Not quite.
> 
> digest is (almost) completely orthogonal to DIGEST authentication.
> 
> digest controls whether or not the password stored on the server is held
> in plain text or in digest form. It is (almost) independent of the
> authentication mechanism used.
> 
> DIGEST is the authentication mechanism between the client and the server.

Heh, right. I had indigestion when I was reading all that documentation.
Using DIGEST authentication implies no "digest" in the <Realm> because
the passwords stored in the database are already hashed (or "digested").
Adding another digest="MD5" will simply re-hash the already-digested
credentials. I suppose someone would consider that more secure, since
it's got "more security".

> Unfortunately, due to the way DIGEST auth works, if you want digested
> passwords and DIGEST authentication you have to generate your password
> digests slightly differently.

Yup: double-digested, like a cow.

>> Note that the documentation erroneously enumerates the supported
>> algorithms as MD2, MD5, and SHA, though all algorithms supported by the
>> JVM are actually allowed (unless "SHA" referrs to all SHA-n varieties).
> 
> You know what I am going to say :). Patches for the documentation are
> always welcome.

Actually, I'm shocked you'd say something like that :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksyz3sACgkQ9CaO5/Lv0PBBhgCdFY4JYxLTE8qkYdn2SkBsZDxS
5+kAnRnzgATIgdAtv8Lp8Xi7fKEsaTaF
=w5us
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message