Digest Authentication with Servlets

[Peter Brandt-Erichsen <pb...@adsl.intergate.ca>]

yeah, I guess my third question was rather vague,
what I meant in terms of superior is more widely
supported by browsers....I have read that Digest
isn't supported by many browsers, but from 
some replies to my posting I see that Netscape
and Explorer support Digest from about versions
4.5 and on.....so maybe the question is moot.

>Tomcat 4 supports DIGEST mode authentication out of the box.

Now, that is interesting! How is this implemented, through
the config files? Do you have any docs or code samples
available for this?

Thanks to everybody who replied to my 
original posting
Peter




-----Original Message-----
From: Craig R. McClanahan <cr...@apache.org>
To: tomcat-user@jakarta.apache.org <to...@jakarta.apache.org>
Date: Wednesday, October 17, 2001 9:50 AM
Subject: Re: hey folks


>
>
>On Wed, 17 Oct 2001, Peter Brandt-Erichsen wrote:
>
>> Date: Wed, 17 Oct 2001 03:22:21 -0700
>> From: Peter Brandt-Erichsen <pb...@adsl.intergate.ca>
>> Reply-To: tomcat-user@jakarta.apache.org
>> To: tomcat-user@jakarta.apache.org
>> Subject: hey folks
>>
>> I am trying to implement a Digest-Authentication
>> scheme using servlets.
>>
>> Tomcat, of course, is my container of choice :-)
>>
>> I have three questions:
>>
>> 1) does anyone have a solution that leverages
>> existing servlet or tomcat technology? so that
>> I don't have to custom code the whole shot.
>>
>
>Tomcat 4 supports DIGEST mode authentication out of the box.
>
>> 2) does anyone know, or have access to, a list
>> of the browsers that currently support
>> Digest-Authentication, and which version of
>> each supporting browser this support was
>> introduced?
>>
>
>I've tested with current versions of Netscape (4.7.x) - the user
>experience is very similar to that for BASIC authentication.  Sorry, don't
>have a clue when it was introduced.
>
>> Number 2 is a big concern for me, no sense in
>> spending resources on an authentication scheme
>> that isn't widely supported by the browsers.....
>>
>> 3) Does anyone have experience with a superior
>> authentication scheme or security scheme that
>> is widely supported and is easy to implement over
>> HTTP?
>>
>
>Depends on what you mean by "superior" :-).
>
>> Thanks in advance for any help you can provide.
>> Peter
>>
>>
>>
>>
>
>Craig
>
>
>
>

Re: Digest Authentication with Servlets

["Craig R. McClanahan" <cr...@apache.org>]

On Wed, 17 Oct 2001, Peter Brandt-Erichsen wrote:

> Date: Wed, 17 Oct 2001 17:46:35 -0700
> From: Peter Brandt-Erichsen <pb...@adsl.intergate.ca>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Digest Authentication with Servlets
>
> yeah, I guess my third question was rather vague,
> what I meant in terms of superior is more widely
> supported by browsers....I have read that Digest
> isn't supported by many browsers, but from
> some replies to my posting I see that Netscape
> and Explorer support Digest from about versions
> 4.5 and on.....so maybe the question is moot.
>
> >Tomcat 4 supports DIGEST mode authentication out of the box.
>
> Now, that is interesting! How is this implemented, through
> the config files? Do you have any docs or code samples
> available for this?
>

It's in the Servlet 2.3 Specification, which you can download from
<http://java.sun.com/products/servlet/download.html>.  In particular,
you'll want to read Chapter 12 (Security) and the parts of Chapter 13
(Deployment Descriptor) that detail the needed configuration info.

Basically, all you need to do is define a <security-constraint> in the
usual way, and then set up a login configuration like this:

  <login-config>
    <auth-method>DIGEST</auth-method>
  </login-config>

and Tomcat will perform the login dialog with the user.  From the user's
perspective, it acts almost identical to BASIC authentication.

> Thanks to everybody who replied to my
> original posting
> Peter
>

Craig