 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Tomcat - JSP/Servlet container | | Struts - A MVC web framework | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | JSP - A mailing list about Java Server Pages specification and reference | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | |
Struts & Hibernate
|
|
|
| | | How to decrypt the DIGEST authentication? | How to decrypt the DIGEST authentication? 2007-11-04 - By Mark Thomas
Back
Mark Thomas wrote:
> Johnny Kewl wrote:
>> I dont think you can do what you want to...
>> I dont think you can use web based DIGEST authentication.
>> And then hide passwords in a MD5 digest as well.
>
> Yes you can.
>
>> I think web based DIGEST authentication, MUST get at the plain text
>> password.
>
> No.
>
>> That process has to be repeated on the server, and SHA(Password) + plus
>> some random stuff NOT EQUAL to browser...
>> I think it has to be a plain text password... unless TC does something
>> unbelievable...
>
> Not unbelievable. Just plain cold logic. The use of DIGEST auth and
> digested passwords are 100% independent.
Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
http://tomcat.apache.org/tomcat-6 (See http://cat-6.ora-code.com).0-doc/realm-howto.html#Digested%20Passwords
for details.
Mark
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
|
