You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Peter Costello <pe...@pcostello.com> on 2003/01/03 23:07:57 UTC

Digest Authentication bug in org.apache.catalina.realm.RealmBase

I apologize in advance if I am sending this bug report/fix to the
wrong group or if the fix has already been implemented.

Using JDK1.3.01 and Tomcat 4.1.12, and sun.net.HttpURLConnection,
Digest Authentication does not work.  The sun.net.HttpURLConnection
class responds to WWW-Authenticate challenge with a Http Authorization
header that contains no 'nc', 'nonce' or 'qop' parameters. Although this
may not be very efficient, as best as I can tell from the spec, this is
a legal response.

org.apache.catalina.realm.RealmBase (line 373) calculates:
       String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
            + cnonce + ":" + qop + ":" + md5a2;

These null parameters get added to the string as ":null" and the MD5
encoded result 'serverDigest' does not match the 'clientDigest' and
authentication fails.

Replacing the 'serverDigestValue' with the following fixes the problem:
     	String serverDigestValue = md5a1 + ":" + nOnce;
	if (nc!=null) serverDigestValue += ":" + nc;
	if (cnonce!=null) serverDigestValue += ":" + cnonce;
	if (qop!=null) serverDigestValue += ":" + qop;
	serverDigestValue += ":" + md5a2;


==================================================================
To reproduce the problem:
	1) Start with a Tomcat 4.1.12 site with some pages requiring digest
authentication.
	   Assume username,password = "myName","myPassword"

	2) Define authenticator
		public class AuthImpl extends Authenticator {
			// Authentication Method
			protected PasswordAuthentication getPasswordAuthentication() {
				return new PasswordAuthentication("myName","myPassword".toCharArray());
			}
		}

	3) Access the pages with the following
		Authenticator.setDefault(new AuthImpl());
		URL url = new URL("http://localhost/foo.html");
		HttpURLConnection uc = url.openConnection();
		InputStream	in = uc.getInputStream();
		byte buf[] = new byte[4096];
		int readNum;
		while ((readNum=in.read(buf,0,4096))>0) {
			// if (out!=null) out.write(buf,0,readNum);
		}
		int status = ((HttpURLConnection)uc).getResponseCode();

	Authentication will fail until corrected as described above.


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>