tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Www-authenticate ...
Date Thu, 24 Dec 2009 02:18:35 GMT
Hash: SHA1


On 12/23/2009 2:13 PM, Mark Thomas wrote:
> On 23/12/2009 16:49, Christopher Schultz wrote:
>> The servlet specification actually makes DIGEST authentication optional
>> for spec0compliant containers, which is interesting. There is also no
>> (standard) way to configure the algorithm for DIGEST authentication.
>> Tomcat allows you to do it using the "digest" attribute of the <Realm>
>> element.
> Not quite.
> digest is (almost) completely orthogonal to DIGEST authentication.
> digest controls whether or not the password stored on the server is held
> in plain text or in digest form. It is (almost) independent of the
> authentication mechanism used.
> DIGEST is the authentication mechanism between the client and the server.

Heh, right. I had indigestion when I was reading all that documentation.
Using DIGEST authentication implies no "digest" in the <Realm> because
the passwords stored in the database are already hashed (or "digested").
Adding another digest="MD5" will simply re-hash the already-digested
credentials. I suppose someone would consider that more secure, since
it's got "more security".

> Unfortunately, due to the way DIGEST auth works, if you want digested
> passwords and DIGEST authentication you have to generate your password
> digests slightly differently.

Yup: double-digested, like a cow.

>> Note that the documentation erroneously enumerates the supported
>> algorithms as MD2, MD5, and SHA, though all algorithms supported by the
>> JVM are actually allowed (unless "SHA" referrs to all SHA-n varieties).
> You know what I am going to say :). Patches for the documentation are
> always welcome.

Actually, I'm shocked you'd say something like that :)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message