Subject: Re: How to decrypt the DIGEST authentication?

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Tomcat - JSP/Servlet container

Struts - A MVC web framework

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

JSP - A mailing list about Java Server Pages specification and reference

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Subject: Servlet : Session invalidate
•	Oracle Connection Pooling in 3 2 2
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Subject: Running a Simple JMS Example
•	Tomcat and webapplication specific java library path
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	Value attribute of <html:checkbox
•	url string for connecting jboss to oracle
•	javax servlet ServletException: BeanUtils populate
•	5 0 18: Windows XP Pro vs Windows 2000
•	HTTP Status 404 The requested resource is not available

Subject: Re: How to decrypt the DIGEST authentication?

Subject: Re: How to decrypt the DIGEST authentication?

2007-11-02 - By Johnny Kewl

Back

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --

Zhong, havnt been following this, so shoot my wife if this is stupid...

I dont think you can do what you want to...
I dont think you can use web based DIGEST authentication.
And then hide passwords in a MD5 digest as well.

I think web based DIGEST authentication, MUST get at the plain text
password.
If you change that to BASIC, THEN you can MD5 the plain text password.

DIGEST on the web is better though....

This is not a Tomcat problem, its just the way DIGEST works....
The browser taks the PASSWORD + Some Random stuff and gets a HASH from that.

That process has to be repeated on the server, and SHA(Password) + plus some
random stuff NOT EQUAL to browser...
I think it has to be a plain text password... unless TC does something
unbelievable...

Have to choose.... its just the way web security works ;(

-- -- Original Message -- --
From: "zhongliang zhang" <zhangzhongl@(protected)>
To: "Tomcat Users List" <users@(protected)>
Sent: Friday, November 02, 2007 3:14 AM
Subject: RE: [tomcat]How to decrypt the DIGEST authentication?

Hi,Mark,
I have to turn to you again.
I encounter the problem with configuring the Digested-Password in the
JDBCRealm.
The JDBCRealm fragment of the $TOMCAT_HOME/conf/server.xml is shown as
followed:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost/test" connectionName="root"
connectionPassword="root" userTable="users"
userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
and in the $TOMCAT_HOME/conf/web.xml,I did the following
security-constraint:
<security-constraint> <web-resource-collection>
<web-resource-name>all</web-resource-name> <url-pattern>/*</url-pattern>
</web-resource-collection> <auth-constraint>
<role-name>customized</role-name>
</auth-constraint></security-constraint><login-config>
<auth-method>DIGEST</auth-method>
<realm-name>JDBCRealm</realm-name></login-config>
it works with mysql database which is just for testing.Now in my database
table users,I insert a record:
user_name:zhangzhongl
user_pass:zhangzhongl
and in the database table,I insert a record:
role_name:customized
username:zhangzhongl
So,it works before I added the digest attribute to the <Realm> element with
value "SHA" or "MD5".
After I added the digest attribute,I copied the tomcat-juli.jar from
$TOMCAT_HOME/bin to $TOMCAT_HOME/lib,then start up,
after I entered the username zhangzhongl and clear-text password(Now,in the
database,I stored the password with SHA encrypted form),it does now
work,which means I can not enter the tomcat welcome page.

I do not know what the reason is.
Please do me a favor.
thanks so much!> >
http://tomcat.apache.org/tomcat-6 (See http://cat-6.ora-code.com).0-doc/realm-howto.html#Digested%20Passwords>
>
Mark>
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------> To
start a new topic, e-mail: users@(protected)> To unsubscribe, e-mail:
users-unsubscribe@(protected)> For additional commands, e-mail:
users-help@(protected)>
__ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ __
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source
=wlmailtagline

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)