You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Douglas Jose (JIRA)" <ji...@apache.org> on 2010/10/11 11:31:32 UTC

[jira] Created: (JCR-2773) HTTP digest authentication support

HTTP digest authentication support
----------------------------------

                 Key: JCR-2773
                 URL: https://issues.apache.org/jira/browse/JCR-2773
             Project: Jackrabbit Content Repository
          Issue Type: New Feature
            Reporter: Douglas Jose
         Attachments: http-digest.patch

I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.

In order to enable the digest authentication, you need to:

- Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
- Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
- Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
- Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.

java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password

The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2773) HTTP digest authentication support

Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12920528#action_12920528 ] 

Jukka Zitting commented on JCR-2773:
------------------------------------

Looks good, thanks! Some comments:

* The DigestCredentials class is probably best placed in jackrabbit-api. Alternatively it might be better to avoid the DigestCredentials class entirely and instead use the attributes feature of the SimpleCredentials class to pass around the digest fields.

* It would be good if the code from Tomcat is labelled with a pointer to the original classes.

* I'd rather avoid putting the digest utility code in jackrabbit-jcr-commons, as it's not directly related to JCR. It would be better to simply place the utility code in jackrabbit-core along with the DigestLoginModule class.

* It would be nice if the UserManager interface was used to access the digest password information instead of an explicit password file.

Additionally, would it be possible to simultaneously support both Basic and Digest authentication, so that you wouldn't need to modify server configuration based on the kinds of clients you have accessing the server?

> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core, jackrabbit-jcr-server, jackrabbit-webapp, security
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2773) HTTP digest authentication support

Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12920756#action_12920756 ] 

Douglas Jose commented on JCR-2773:
-----------------------------------

I'm going to do implement the first three enhancements suggested in the list. Thanks for the hints.

Regarding the UserManager interface, I believe it cannot be used as one of the limitations of the digest authentication is that it must be aware of the user's password (or the concatenation of user, realm and password, as currently implemented). As far as I know, the existing user management mechanism doesn't store the user's clear text password (or any data from which such password could be derived).

The simultaneous support to basic and digest authentication, as far as I know, cannot be implemented. The protocol says that the server informs the client which method is being used (via header parameters); they don't negotiate on which on to use. However, I'm not an expert in such subject, so please let me know if I'm wrong; the conclusions I'm taking here are based on the Tomcat code I used as a reference to understand the protocol.


> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core, jackrabbit-jcr-server, jackrabbit-webapp, security
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JCR-2773) HTTP digest authentication support

Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Douglas Jose updated JCR-2773:
------------------------------

    Attachment: JCR-2773.patch

Implementation of the suggested refactorings.

> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core, jackrabbit-jcr-server, jackrabbit-webapp, security
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch, JCR-2773.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2773) HTTP digest authentication support

Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12919765#action_12919765 ] 

Douglas Jose commented on JCR-2773:
-----------------------------------

I haven't chose the components in this issue as the code is spread through several components (namely jackrabbit-core, jackrabbit-jcr-server, jackrabbit-jcr-commons and jackrabbit-webapp). I am not sure if I chose the best components and packages for the new classes in the attached patch.

> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JCR-2773) HTTP digest authentication support

Posted by "angela (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela updated JCR-2773:
------------------------

    Component/s: security
                 jackrabbit-webapp
                 jackrabbit-jcr-server
                 jackrabbit-core

> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core, jackrabbit-jcr-server, jackrabbit-webapp, security
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JCR-2773) HTTP digest authentication support

Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/JCR-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Douglas Jose updated JCR-2773:
------------------------------

    Attachment: http-digest.patch

Implementation of HTTP digest authentication

> HTTP digest authentication support
> ----------------------------------
>
>                 Key: JCR-2773
>                 URL: https://issues.apache.org/jira/browse/JCR-2773
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>            Reporter: Douglas Jose
>         Attachments: http-digest.patch
>
>
> I have extended Jackrabbit to allow HTTP digest authentication through WebDAV, as Windows 7 can't connect to a WebDAV repository using basic authentication.
> The implementation is based on Tomcat's source code (I have used it as a reference to implement the same authentication handling in Jackrabbit). I hope that's not a problem.
> In order to enable the digest authentication, you need to:
> - Change the WebDAV servlet from 'org.apache.jackrabbit.j2ee.SimpleWebdavServlet' to 'org.apache.jackrabbit.j2ee.DigestWebdavServlet' in the web.xml file;
> - Change the LoginModule to 'org.apache.jackrabbit.core.security.simple.DigestLoginModule' in the repository.xml file
> - Add the parameter 'passwordsFile' to the DigestLoginModule with the path of the passwords file.
> - Add to the passwords file created above the user id and the password digest. The utility DigestPasswordUtil in the jackrabbit-jcr-commons project can be used to generate the entry to be appended to the passwords file.
> java -cp target/jackrabbit-jcr-commons-2.2-SNAPSHOT.jar org.apache.jackrabbit.util.DigestPasswordUtil user realm password
> The DigestLoginModule configuration is optional, I believe the DigestWebdavServlet should work normally with the SimpleLoginModule which accepts any credentials.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.