When all else fails, look at the source code (Dave, thanks for the
suggestion). There is no support for SHA-1 in Tomcat's implementation of
DigestAuthenticator. It should be easy enough to implement, provided the
java.security.MessageDigest that is implemented with SHA-1. I'll give
this a try tomorrow- no midnight java tonight.
Post by Mark LeoneDave, thanks very much for your help. Unfortunately, the passage you
quoted is referring to how the password is digested when it is stored
in the realm. This is working fine for me, and I've been able to
configure it to use SHA-1 or MD-5 algorithms by setting the digest
attribute in the <realm/> element to either "SHA" or "MD5", which are
the appropriate keywords to identify those algorithms.
What I described above works fine when I select BASIC authentication
by putting the following in my web.xml
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JDBCRealm</realm-name>
</login-config>
However, I change "BASIC" above to "DIGEST" to induce the server to
tell the client that DIGEST authentication is required, meaning that
instead of sending the username and password as a Base64 encoded text
string, which anyone can decode and thereby compromise the user's
credentials, it will send a hash of the username and password, with a
random value and a sequence counter generated by the server also
included as an input to the hash function. This of course is a much
more secure way to send login credentials. According to the spec that
governs DIGEST access authentication (rfc2617), if the server does not
explicitly specify a hash algorithm in the www-authenticate header of
the HTTP response message (status 401- unauthorized), it defaults to
MD5. So after much thrashing around, I discovered that I could only
get DIGEST authentication to work by specifying MD-5 in the <realm/>
digest attribute, and then letting the client default to using MD5 for
the DIGEST authentication algorithm, since Tomcat is not specifying
the algorithm in the HTTP header (which I verified with an HTTP
monitor tool).
What I would LIKE to do is use SHA-1, since it's a more secure
algorithm (and because I have engineer's disease, and I have to figure
out how to do something even if there's an almost-as-good
alternative). I know I can set the <realm/> digest attribute to SHA-1,
but I don't know how I cant tell Tomcat to require SHA-1 algorithm in
the www-authenticate response header. I found a method that does this
Post by David Owensorg.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader()<<
But I'd like to do it with a configuration parameter. I've looked
thorough all the Tomcat docs, and I see nothing that appears to do
this. I opened the Servlet spec and looked at the XSD for the web.xml
document, and there appears to be nothing there that can set the
DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm
going to look for that XSD next, but if anyone knows off-hand what the
parameter is, please enlighten me.
If there's not a configuration parameter, could someone tell me how to
do this programmatically? I'm fairly new to Tomcat, and I think I can
figure out how to get access to the aforementioned
setAuthenticateHeader() method in the servlet context, but I don't
know how to make the container do that for the duration of a browser
session, as opposed to setting the www-authenticate header every time
my JSP or servlet is called.
-Mark
Post by David OwensWhen a standard realm authenticates by retrieving the stored password
and comparing it with the value presented by the user, you can select
digested passwords by specifying the *digest* attribute on your <Realm>
element. The value for this attribute must be one of the digest
algorithms supported by the java.security.MessageDigest class (SHA, MD2,
or MD5). When you select this option, the contents of the password that
is stored in the Realm must be the cleartext version of the password, as
digested by the specified algorithm.
I have starred the word digest. If you look at the source for the page
you will notice the word digest is in <code> tags, and I think they are
trying to indicate this is a key word you can use in the <realm> tag.
Let us know if this works for you.
|)ave
-----Original Message-----
23, 2005 1:53 AM
To: Tomcat Users List
Subject: Re: DIGEST authentication; Does it work??
So at 3:00 AM I decided to read the Basic and Digest Access
Authentication spec (RFC 2617), and it says that MD5 is the default hash
algorithm. I had previously seen that Tomcat wasn't sending any response
headers explicitly specifying the hash algorithm, even though I had
specified SHA in the <realm/> element in Server.xml. So I changed my
digest algorithm for the realm to MD5, and DIGEST authentication is
now working.
I'd like to make it work with SHA-1. I've looked all through the
Tomcat documentation, and I can't find a configuration parameter to
set the www-authenticate response header to indicate SHA-1 algorithm
for the digest. I see the API that supports this in
org.apache.catalina.authenticator.DigestAuthenticator (
setAuthenticateHeader() ), but I can't find a configuration parameter
that will determine the value for "algorithm" passed to this method.
Does anyone know how I can set this?*
*
-Mark
I found a silly classpath error that fixed the problem using
RealmBase. I didn't realize that my system still had environment
variable %catalina_home% pointing to an old tomcat 4.1.24 directory.
So when I opened a command window to generate digest values I was
executing RealmBase in tomcat 4.1.24. But guess what. When I digest
the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24
and Tomcat 5.5.8 I get different digest values. And DIGEST
authentication still doesn't work, in either case. Something very
strange is going on here. :(
-Mark
Post by Mark LeoneOkay, I was using 5.5.7. So I just downloaded the source and built
5.5.8, and things got worse. Digest authentication is not working for
me. I believe I've set everything up correctly. Using an HTTP monitor
I see a 401 response coming back from Tomcat with a
www-authenticate header whose parameters specify digest
authentication and identify the realm as JDBCRealm. And I have a
digested password that I created
by digesting {username}:JDBCRealm:{password} (including the colons-
is that correct?), as directed in the how-to documentation. But
when I enter that username and password, the authentication fails.
Now I used SHA-1 to digest the password, and my <realm/> element in
Server.xml identifies SHA as the digest algorithm for digesting
passwords. Does this mean that the DIGEST authentication will also be
done using SHA-1? Or do I need to specify that somewhere? Am I
missing something else?
I said it got worse with 5.5.8 because now I can't even get RealmBase
to generate a digested password. I enter
java -cp %catalina_home%\server\lib\catalina.jar
org.apache.catalina.realm.RealmBase -a SHA
{username}:JDBCRealm:{password}
org/apache/commons/lo
gging/LogFactory at
org.apache.catalina.realm.RealmBase.<clinit>(RealmBase.java:69)
So it's finding RealmBase, but while executing that code it fails
to find LogFactory. I don't see an org\apache\commons path in any
of the
class directories generated during the build. Do I have a defective
build? Was I supposed to download something else?
-Mark
Post by Mark ThomasYes it does. I tested this extensively with both IE and Firefox. Any
Auth: BASIC, FORM, DIGEST
Realm: Memory, UserDatabase, JDBC, DataSource
Passwords: Cleartext, digested
There is a complication when using digested passwords with the
digest realm.
You need to be using 4.1.x from CVS HEAD or 5.5.8+
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Mark
Post by Mark LeoneI'm trying to use DIGEST authentication with Tomcat, and it doesn't
seem to work. I found some articles with Google about IE
implementing DIGEST authentication in a way that only worked with
MS servers, and I assume that hasn't been corrected. But I'm also
using Firefox with the same results as IE. I saw an article about a
workaround in Apache server to make DIGEST authentication work with
IE, but I didn't see anything about Tomcat. Anyone know of any
way to get DIGEST authentication in Tomcat to work with ANY browser?
I should mention that I'm also using digested passwords in a
JDBC Realm (implemented with mySQL), and I followed the how-to
instructions for creating digested passwords to work with DIGEST
authentication. And authentication with JDBCRealm works fine when I
use BASIC authentication.
For the record, I put the following in the Host element in
Server.xml
Post by Mark LeonePost by Mark ThomasPost by Mark Leone<Context path="/MyApp" docBase="MyApp">
<Valve
className="org.apache.catalina.authenticator.DigestAuthenticator"
disableProxyCaching="false" />
</Context>
I put the following in Server.xml's Engine element
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql:///Tomcat_Realm" userTable="users"
userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" digest="SHA"/>
And I put the following in my app's web.xml
<security-constraint.../> (elided)
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>JDBCRealm</realm-name>
</login-config>
<security-role.../> (elided)
And when I created the digested password to store in my JDBCRealm
database, I digested: (username) : JDBCRealm : (password). As
you can see, I specified "SHA" as the digest algorithm in
Server.xml's <realm> element, and I used SHA to create the
digested password that I stored in the database. I assume that
the server will prompt
the browser to use SHA also when it sends the challenge header
requesting DIGEST authentication?
---------------------------------------------------------------------
---------------------------------------------------------------------
Post by Mark Leone---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------