You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by DIGLLOYD INC <di...@diglloyd.com> on 2008/04/22 18:05:53 UTC
Tomcat 6 DIGEST auth
I've read this doc:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
But I cannot get it to authenticate.
I'm putting the digested password for myusers into tomcat-users.xml as
directed.
One problem is that it's not at all clear what the realm is--
Is the realm the <realm-name> specified in the <login-config> in
web.xml? (eg "Tomcat Manager Application") Or something else? The
docs (link above) suggest "localhost:80" might be the realm, but that
makes no sense to me, as this would tie it to a specific port.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is in
conflict with the above documentation, making no mention of digesting
with the username and realm. The book suggest doing:
bin/digest.sh -a MD5 user-password
But the tomcat 6 docs referenced above suggest doing:
bin/digest.sh -a MD5 username:realm-name:password
--obviously very different approaches!
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to populate database with SHA hash for DIGEST
Posted by Mark Thomas <ma...@apache.org>.
DIGLLOYD INC wrote:
> Chris,
>
> I accept your point.
>
> It's too bad the Tomcat "how to" docs don't mention this in a brief note.
>
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
>
> I'm not on the tomcat developer group, otherwise I'd fix it.
That doesn't stop you creating a patch. Create enough good ones and you
could become a Tomcat committer.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to populate database with SHA hash for DIGEST
Posted by DIGLLOYD INC <di...@diglloyd.com>.
Chris,
I accept your point.
It's too bad the Tomcat "how to" docs don't mention this in a brief
note.
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
I'm not on the tomcat developer group, otherwise I'd fix it.
It's even more disappointing that the books I've seen on the subject
(several) don't mention it either.
Lloyd
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Aug 18, 2008, at 7:40 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lloyd,
>
> DIGLLOYD INC wrote:
>> Answer: SHA just doesn't work. MD5 works fine. I presume this is
>> because the browser has no idea what algorithm to use, and just
>> always
>> uses MD5.
>
> You should read the definition of HTTP DIGEST auth. It doesn't just
> guess at using MD5, it is defined to use MD5.
>
> http://en.wikipedia.org/wiki/Digest_access_authentication
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkipifQACgkQ9CaO5/Lv0PBf/wCff+iV7P/jh+rqQiKZC/JXDQbF
> b3YAn2Eme7dPn0Wx627jPY5vaofeYni/
> =YVhm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to populate database with SHA hash for DIGEST
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
DIGLLOYD INC wrote:
> Answer: SHA just doesn't work. MD5 works fine. I presume this is
> because the browser has no idea what algorithm to use, and just always
> uses MD5.
You should read the definition of HTTP DIGEST auth. It doesn't just
guess at using MD5, it is defined to use MD5.
http://en.wikipedia.org/wiki/Digest_access_authentication
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkipifQACgkQ9CaO5/Lv0PBf/wCff+iV7P/jh+rqQiKZC/JXDQbF
b3YAn2Eme7dPn0Wx627jPY5vaofeYni/
=YVhm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to populate database with SHA hash for DIGEST
Posted by DIGLLOYD INC <di...@diglloyd.com>.
Answer: SHA just doesn't work. MD5 works fine. I presume this is
because the browser has no idea what algorithm to use, and just always
uses MD5.
Lloyd
On Aug 17, 2008, at 9:11 PM, DIGLLOYD INC wrote:
> How to produce the hashed password when using auth-method DIGEST ?
>
> Everything works with cleartext passwords using the following login-
> config in web.xml:
>
> <login-config>
> <auth-method>DIGEST</auth-method>
> <realm-name>DIGLLOYD.COM</realm-name>
> </login-config>
>
> and in context.xml:
>
> <Realm className="org.apache.catalina.realm.JDBCRealm"
> connectionName="test"
> connectionPassword="test123" connectionURL="jdbc:mysql://
> localhost/test"
> driverName="com.mysql.jdbc.Driver"
> userTable="UserAuth" userNameCol="username"
> userCredCol="password"
> userRoleTable="UserRole" roleNameCol="role" />
>
> Now I want to add attribute digest="SHA" to the <Realm> above. What
> value to insert for the password in the database? Following the
> Tomcat 6 docs, I tried inserting the value produced by the following:
>
> String credentials = username + ":" + "DIGLLOYD.COM" + ":" + password;
> org.apache.catalina.realm.RealmBase.Digest( credentials, "SHA", null);
>
> (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html)
>
> I've verified that the DB contains the hash values produced by
> Digest().
>
> It isn't working; all attempts to login fail.
>
> Help is greatly appreciated.
>
> Lloyd Chambers
> http://diglloyd.com
>
> [Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
>
>
>
>
> On Apr 22, 2008, at 9:37 AM, Mark Thomas wrote:
>
>> DIGLLOYD INC wrote:
>>> Is the realm the <realm-name> specified in the <login-config> in
>>> web.xml? (eg "Tomcat Manager Application")
>> Yes.
>>
>>> (link above) suggest "localhost:80" might be the realm, but that
>>> makes no sense to me, as this would tie it to a specific port.
>> That is the default you get if you don't specify one.
>>
>>> The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is
>>> in conflict with the above documentation, making no mention of
>>> digesting with the username and realm. The book suggest doing:
>>> bin/digest.sh -a MD5 user-password
>> As does the docs. This is for digested passwords with BASIC or FORM
>> auth.
>>
>>> But the tomcat 6 docs referenced above suggest doing:
>>> bin/digest.sh -a MD5 username:realm-name:password
>> This is for digested passwords with DIGEST auth.
>>
>>> --obviously very different approaches!
>> Because they have different uses.
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
how to populate database with SHA hash for DIGEST
Posted by DIGLLOYD INC <di...@diglloyd.com>.
How to produce the hashed password when using auth-method DIGEST ?
Everything works with cleartext passwords using the following login-
config in web.xml:
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>DIGLLOYD.COM</realm-name>
</login-config>
and in context.xml:
<Realm className="org.apache.catalina.realm.JDBCRealm"
connectionName="test"
connectionPassword="test123" connectionURL="jdbc:mysql://
localhost/test"
driverName="com.mysql.jdbc.Driver"
userTable="UserAuth" userNameCol="username"
userCredCol="password"
userRoleTable="UserRole" roleNameCol="role" />
Now I want to add attribute digest="SHA" to the <Realm> above. What
value to insert for the password in the database? Following the Tomcat
6 docs, I tried inserting the value produced by the following:
String credentials = username + ":" + "DIGLLOYD.COM" + ":" + password;
org.apache.catalina.realm.RealmBase.Digest( credentials, "SHA", null);
(http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html)
I've verified that the DB contains the hash values produced by Digest().
It isn't working; all attempts to login fail.
Help is greatly appreciated.
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Apr 22, 2008, at 9:37 AM, Mark Thomas wrote:
> DIGLLOYD INC wrote:
>> Is the realm the <realm-name> specified in the <login-config> in
>> web.xml? (eg "Tomcat Manager Application")
> Yes.
>
>> (link above) suggest "localhost:80" might be the realm, but that
>> makes no sense to me, as this would tie it to a specific port.
> That is the default you get if you don't specify one.
>
>> The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is
>> in conflict with the above documentation, making no mention of
>> digesting with the username and realm. The book suggest doing:
>> bin/digest.sh -a MD5 user-password
> As does the docs. This is for digested passwords with BASIC or FORM
> auth.
>
>> But the tomcat 6 docs referenced above suggest doing:
>> bin/digest.sh -a MD5 username:realm-name:password
> This is for digested passwords with DIGEST auth.
>
>> --obviously very different approaches!
> Because they have different uses.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 DIGEST auth
Posted by Mark Thomas <ma...@apache.org>.
DIGLLOYD INC wrote:
> Is the realm the <realm-name> specified in the <login-config> in
> web.xml? (eg "Tomcat Manager Application")
Yes.
> (link above) suggest "localhost:80" might be the realm, but that makes
> no sense to me, as this would tie it to a specific port.
That is the default you get if you don't specify one.
> The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is in
> conflict with the above documentation, making no mention of digesting
> with the username and realm. The book suggest doing:
> bin/digest.sh -a MD5 user-password
As does the docs. This is for digested passwords with BASIC or FORM auth.
> But the tomcat 6 docs referenced above suggest doing:
> bin/digest.sh -a MD5 username:realm-name:password
This is for digested passwords with DIGEST auth.
>
> --obviously very different approaches!
Because they have different uses.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org