tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson, M. Paul" <>
Subject RE: Using Digested Passwords and DIGEST Authentication at the sam e time.
Date Thu, 07 Oct 2004 18:18:01 GMT
As I am knew to Tomcat I will ask you to excuse my ignorance.  I have just
realized (and I am asking those with the necessary experience to verify
this) that when you talk about "DIGEST" authentication there are really two
separate and distinct forms of it:

1.  Indicate to the BROWSER to digest the password before it is passed over
the network.  Tomcat would then extract the PLAIN TEXT password from the
database, digest it using the same algorithm and copare it to the digested
value that was just received from the browser.

2.  Indicate to the REALM that passwords in the database are stored as hash
values of the user password.  Tomcat will receive the password from the
browser in PLAIN TEXT - the realm will hash it and compare it to the
retrieved hashed password from the database.

As mentioned below, combining these two mechanisms won't work.  This happens
to be fine for me - we use SSL for all data transfer but we were storing
passwords in plain text in the database.  We'd like to store hashed values.
It is now my understanding that I can continue to use BASIC authentication
but simply configure the realm to expect hashed passwords in the database.

That really clarifies a lot (assuming I haven't bungled it).  I kept finding
opposing views concerning digestion of passwords and I couldn't find any
absolutes about it.  What a relief to finally get some insight!

Any clarification or correction of this information would be greatly
appreciated before I commit it to memory.


-----Original Message-----
From: Phillip Qin [] 
Sent: Thursday, October 07, 2004 1:17 PM
To: 'Tomcat Users List'
Subject: RE: Using Digested Passwords and DIGEST Authentication at the sam e

I don't think MD5+DIGEST will work. Take a look at any subclass of
RealmBase. Realm has nothing to do with web.xml attribute <login-config>. In
the authenticate method, Realm checks hasMessageDigest() - value of Realm
digest=. If hasMessageDigest, in your case =MD5, Realm digests the password
and compare it with the value stored in database.

-----Original Message-----
From: Shinobu Kawai [] 
Sent: October 7, 2004 12:51 PM
To: Tomcat Users List
Subject: Re: Using Digested Passwords and DIGEST Authentication at the sam e

Hi Phillip,

> Have you tried it based on the howto?
Here's what I tried: (All with o.a.c.r.MemoryRealm)
clear text + BASIC -> works!
clear text + DIGEST -> works!
MD5 digest + BASIC -> works!
SHA digest + BASIC -> works!
MD5 digest + DIGEST -> doesn't work!
SHA digest + DIGEST -> doesn't work!

Strangely, if I enter the digested password, it passes.

Best regards,
-- Shinobu Kawai

Shinobu Kawai <>

To unsubscribe, e-mail:
For additional commands, e-mail:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message