You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/03/21 05:39:32 UTC
DO NOT REPLY [Bug 52953] New: Unlike BASIC Authentication, DIGEST
mode does not work if the hash is stored in uppercase.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52953
Bug #: 52953
Summary: Unlike BASIC Authentication, DIGEST mode does not work
if the hash is stored in uppercase.
Product: Tomcat 7
Version: trunk
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: neale@metawerx.net
Classification: Unclassified
Created attachment 28487
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28487
patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval
Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in
uppercase.
This is not a problem if the hashes are generated by CATALINA/bin/digest.sh,
but if they are prepared with other software which generate uppercase hex
strings for hashes, it can be very confusing trying to figure out why digest
authentication is not working.
The other hash comparisons use equalsIgnoreCase() to compare the hashes, but
the digest version of RealmBase.authenticate() prepares the serverDigestValue
by taking the Principal's hash (as is) and prepending it to the nonce and other
digest fields, and then rehashing.
As a result, the final hash serverDigest is not the same as the clientDigest
value that comes from the browser.
To test, change an MD5 DIGEST hash to upper case and attempt to authenticate.
The provided one-line patch against the current 8.0.0-dev trunk simply uses
toLowerCase on the retrieved server-side hash.
Best Regards,
Neale Rudd
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52953] Unlike BASIC Authentication, DIGEST mode
does not work if the hash is stored in uppercase.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52953
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #28487|0 |1
is patch| |
Attachment #28487|application/octet-stream |text/plain
mime type| |
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52953] Unlike BASIC Authentication, DIGEST mode
does not work if the hash is stored in uppercase.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52953
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> 2012-03-21 10:03:57 UTC ---
Thanks for the report and the patch.
A slightly modified version has been applied to trunk and 7.0.x and will be
included in 7.0.27 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org