tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Www-authenticate ...
Date Thu, 24 Dec 2009 11:50:16 GMT
Mark Thomas wrote:
> On 24/12/2009 02:18, Christopher Schultz wrote:
>> On 12/23/2009 2:13 PM, Mark Thomas wrote:
>>> digest is (almost) completely orthogonal to DIGEST authentication.
>>> digest controls whether or not the password stored on the server is held
>>> in plain text or in digest form. It is (almost) independent of the
>>> authentication mechanism used.
>>> DIGEST is the authentication mechanism between the client and the server.
>> Heh, right. I had indigestion when I was reading all that documentation.
>> Using DIGEST authentication implies no "digest" in the <Realm> because
>> the passwords stored in the database are already hashed (or "digested").
>> Adding another digest="MD5" will simply re-hash the already-digested
>> credentials. I suppose someone would consider that more secure, since
>> it's got "more security".
> Still not quite right. I'll try again.
> You can use DIGEST authentication and still have the passwords stored in
> the database in plain text.
> Only the Realm's digest attribute controls whether the password is
> stored in digested form.
> Only the authentication mechanism (ignoring SSL) determines if the
> password is transmitted in plain text. BASIC and FORM transmit the
> password in plain text. DIGEST doesn't.
> A Realm's digest attribute is independent of the authentication
> mechanism apart from one situation: if you store passwords in digested
> form and use DIGEST authentication due to the way DIGEST auth works you
> have to generate password digests to store in the database slightly
> differently. This is a pain but there is no way around this.

Maybe this way, to help Chris get it :

browser <---- HTTP --------> Tomcat <-- Realm --> back-end id storage
           Authentication                digest       digested pw
             BASIC                         or
              or                         not digest   clear pw

a) browser -->  GET /url  --->    HTTPd   (/url = protected resource)
b) browser <-- 401 Auth required -- HTTPd
            (type = BASIC or DIGEST)
c) browser pops up login dialog
d) user enters id + pw
e) browser --> GET /url  ---> HTTPd
    + header : "Authorization:" (credentials)

The original discussion centers around (b) and (e), in the DIGEST case : 
is it possible for server/client to indicate/use another digest method 
than MD5, for the browser to send the credentials in the Authorization 
header to the server, in (e) ?

My contention is that no existing *browser* supports another DIGEST 
method, and that the discussion is thus largely moot.
.. unless the client is not a standard browser.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message