tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Valid values for digestEncoding attribute?
Date Fri, 28 Jan 2011 14:43:53 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Etienne,

On 1/28/2011 7:55 AM, Ing. Etienne V. Depasquale wrote:
> The real problem lies in the fact that Tomcat does not specify any digest
> algorithm in the www-authenticate header of HTTP/1.1, which leads the
> browser to digest the password using MD5, regardless of the value of the
> digest attribute in the <Realm> tag.

You should definitely log a bug in bugzilla for that: Tomcat should be
sending the digest algorithm to the client for DIGEST authentication.

Be sure you use a protocol analyzer to ensure that the WWW-Authenticate
header doesn't contain the digest. Otherwise, you'll waste your time
filing the bug only to have it marked as INVALID.

Also, always test with the most recent version in your version line (you
didn't say which you were using). Current versions are Tomcat 7.0.6,
6.0.30, and 5.5.31:

http://tomcat.apache.org/whichversion.html

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1C1igACgkQ9CaO5/Lv0PDSBwCcDWdYZhmI1EGrMyKFnZg5Hq+d
iLAAoKTUilFEIuAG3J8wO1P2dmwwqtXh
=BX+3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message