You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Attila Szegedi <sz...@freemail.hu> on 2001/09/07 10:51:11 UTC
Digest authentication in Tomcat?
Hi!
If I see correctly (after testing for it and browsing source extensively),
the 3.2 product line of Tomcat does not support the Digest authentication
scheme (RFC 2069). Could you confirm this? Also, please let me know if 3.3
or 4.0 support Digest.
In case they don't, I'm ready to provide an implementation (in fact, I
already started working on it). The issue is a bit tricky as right now all
available Realm implementations (the SimpleRealm and the JDBCRealm) assume
the password can be extracted from the request, and this is (fortunately!)
not true for Digest. I have an elegant idea for working around it, however I
wouldn't like to reinvent the wheel, so please let me know if this is
already done.
NB: I need Digest so that I can have a fully compliant WebDAV service, since
the page 78 of RFC 2518 clearly states that "WebDAV applications MUST
support the Digest authentication scheme". In face of this, the Tomcat's
peer project Slide can also not achieve full WebDAV compliance if it lacks
Digest authentication.
Cheers,
Attila.
Re: Digest authentication in Tomcat?
Posted by Attila Szegedi <sz...@freemail.hu>.
>
> Ok, but that would still require some modifications in the JDBC realm, for
> example, because it has the annoying habit to store H(password) ;-)
> I was planning to add a mechanism a bit like you describe, but after 4.0.
Right, I had to touch existing realm code as well, since current realms rely
on the ability to extract the password from the request - which is not
possible with DIGEST (since that's the whole point of it). In effect, I
rewamped realms to
if(ctx != null && "DIGEST".equals(ctx.getAuthMethod()))
{
... new code
}
else
{
... old code
}
>
> Remy
Attila
Re: Digest authentication in Tomcat?
Posted by Remy Maucherat <re...@apache.org>.
> > Tomcat 4.0 already supports DIGEST, but only if the realm can return
clear
> > text passwords. Designing a cheme to store the limited digest in the
> > realmshould be possible, but should be postponed until 4.1.
>
> My implementation works with the situation where server only knows
> H(username ":" realm ":" password)
Ok, but that would still require some modifications in the JDBC realm, for
example, because it has the annoying habit to store H(password) ;-)
I was planning to add a mechanism a bit like you describe, but after 4.0.
> > Also, IE supports DIGEST.
>
> My IE 5.5 fails with DIGEST. I've checked by an experimental installation
of
> Apache 1.3.7. IE 5.5, NN 6 and NN 4.72 failed to process the
authentication
> request (NN 4.72 returned Basic authentication :-)) Opera succeeded
cleanly.
NN doesn't support DIGEST, that's for sure.
IE 5.0 did, and I was able to use it with TC 4.0 implementation of DIGEST.
Of course, that was some time ago, and I never tried with 6.0.
Remy
Re: Digest authentication in Tomcat?
Posted by Attila Szegedi <sz...@freemail.hu>.
----- Original Message -----
From: "Remy Maucherat" <re...@apache.org>
To: <to...@jakarta.apache.org>
Sent: 2001. szeptember 7. 18:13
Subject: Re: Digest authentication in Tomcat?
> Tomcat 4.0 already supports DIGEST, but only if the realm can return clear
> text passwords. Designing a cheme to store the limited digest in the
> realmshould be possible, but should be postponed until 4.1.
My implementation works with the situation where server only knows
H(username ":" realm ":" password)
>
> Also, IE supports DIGEST.
My IE 5.5 fails with DIGEST. I've checked by an experimental installation of
Apache 1.3.7. IE 5.5, NN 6 and NN 4.72 failed to process the authentication
request (NN 4.72 returned Basic authentication :-)) Opera succeeded cleanly.
Attila.
>
> Remy
>
>
Re: Digest authentication in Tomcat?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 7 Sep 2001, Remy Maucherat wrote:
> Date: Fri, 7 Sep 2001 09:13:29 -0700
> From: Remy Maucherat <re...@apache.org>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Digest authentication in Tomcat?
>
> > Just wanted you to know: I've done with implementing Digest authentication
> > in Tomcat 3.2.1 code, will incorporate it into current 3.2.x latest code
> > from CVS. The funny thing is that so-called "mainstream" browsers (IE and
> > NN; tried many versions this afternoon) DO NOT support the Digest
> > authentication scheme... However, Opera does, so I finally have a test
> > environment :-). I think I like that browser more and more.
>
> Tomcat 4.0 already supports DIGEST, but only if the realm can return clear
> text passwords. Designing a cheme to store the limited digest in the
> realmshould be possible, but should be postponed until 4.1.
>
By the way Costin, this support is *not* in the core -- it's in a plug-in
authenticator valve that's only added if you select DIGEST authentication
:-). Same is true for the other login methods, and none of them are added
(i.e. zero overhead) if your app does not use container managed security.
> Also, IE supports DIGEST.
>
> Remy
>
>
Craig
Re: Digest authentication in Tomcat?
Posted by Remy Maucherat <re...@apache.org>.
> Just wanted you to know: I've done with implementing Digest authentication
> in Tomcat 3.2.1 code, will incorporate it into current 3.2.x latest code
> from CVS. The funny thing is that so-called "mainstream" browsers (IE and
> NN; tried many versions this afternoon) DO NOT support the Digest
> authentication scheme... However, Opera does, so I finally have a test
> environment :-). I think I like that browser more and more.
Tomcat 4.0 already supports DIGEST, but only if the realm can return clear
text passwords. Designing a cheme to store the limited digest in the
realmshould be possible, but should be postponed until 4.1.
Also, IE supports DIGEST.
Remy
Re: Digest authentication in Tomcat?
Posted by Attila Szegedi <sz...@freemail.hu>.
Just wanted you to know: I've done with implementing Digest authentication
in Tomcat 3.2.1 code, will incorporate it into current 3.2.x latest code
from CVS. The funny thing is that so-called "mainstream" browsers (IE and
NN; tried many versions this afternoon) DO NOT support the Digest
authentication scheme... However, Opera does, so I finally have a test
environment :-). I think I like that browser more and more.
Attila.
Re: Digest authentication in Tomcat?
Posted by Attila Szegedi <sz...@freemail.hu>.
----- Original Message -----
From: <cm...@yahoo.com>
To: <to...@jakarta.apache.org>
Sent: 2001. szeptember 7. 17:38
Subject: Re: Digest authentication in Tomcat?
>
> In 3.3 we tried to make it easy to add modules ( and all the
> functionality is implemented in modules ), it's just like adding a
> webapplication. The idea is to reduce the pressure on the official
> release, reduce the 'featurism', keep tomcat simple, etc.
>
I'll look into 3.3 architecture. Right now I have a proof-of-concept
implementation coded against 3.2.1 source.
Attila.
>
> Costin
>
>
> On Fri, 7 Sep 2001, Attila Szegedi wrote:
>
> > Hi!
> >
> > If I see correctly (after testing for it and browsing source
extensively),
> > the 3.2 product line of Tomcat does not support the Digest
authentication
> > scheme (RFC 2069). Could you confirm this? Also, please let me know if
3.3
> > or 4.0 support Digest.
> >
> > In case they don't, I'm ready to provide an implementation (in fact, I
> > already started working on it). The issue is a bit tricky as right now
all
> > available Realm implementations (the SimpleRealm and the JDBCRealm)
assume
> > the password can be extracted from the request, and this is
(fortunately!)
> > not true for Digest. I have an elegant idea for working around it,
however I
> > wouldn't like to reinvent the wheel, so please let me know if this is
> > already done.
> >
> > NB: I need Digest so that I can have a fully compliant WebDAV service,
since
> > the page 78 of RFC 2518 clearly states that "WebDAV applications MUST
> > support the Digest authentication scheme". In face of this, the Tomcat's
> > peer project Slide can also not achieve full WebDAV compliance if it
lacks
> > Digest authentication.
> >
> > Cheers,
> > Attila.
> >
> >
>
>
Re: Digest authentication in Tomcat?
Posted by cm...@yahoo.com.
Hi Attila,
Tomcat 3.x standalone doesn't support digest auth. If you can contribute
code - it would be great.
I'm presonally more interested in making sure Apache/IIS/NES is well
integrated and allows the real server do the authentication - but I know
few people who love tomcat standalone :-).
Given the timeframe ( we're late in beta ), I'm not sure we can add the
digest support in the 'standard' release of 3.3 ( and less likely in a
bugfix release of 3.2.x ), however it would be an excelent candidate for
an 'independent' module.
In 3.3 we tried to make it easy to add modules ( and all the
functionality is implemented in modules ), it's just like adding a
webapplication. The idea is to reduce the pressure on the official
release, reduce the 'featurism', keep tomcat simple, etc.
Costin
On Fri, 7 Sep 2001, Attila Szegedi wrote:
> Hi!
>
> If I see correctly (after testing for it and browsing source extensively),
> the 3.2 product line of Tomcat does not support the Digest authentication
> scheme (RFC 2069). Could you confirm this? Also, please let me know if 3.3
> or 4.0 support Digest.
>
> In case they don't, I'm ready to provide an implementation (in fact, I
> already started working on it). The issue is a bit tricky as right now all
> available Realm implementations (the SimpleRealm and the JDBCRealm) assume
> the password can be extracted from the request, and this is (fortunately!)
> not true for Digest. I have an elegant idea for working around it, however I
> wouldn't like to reinvent the wheel, so please let me know if this is
> already done.
>
> NB: I need Digest so that I can have a fully compliant WebDAV service, since
> the page 78 of RFC 2518 clearly states that "WebDAV applications MUST
> support the Digest authentication scheme". In face of this, the Tomcat's
> peer project Slide can also not achieve full WebDAV compliance if it lacks
> Digest authentication.
>
> Cheers,
> Attila.
>
>