How to decrypt the DIGEST authentication? 2007-11-05 - By Johnny Kewl
Back
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
-- -- Original Message -- --
From: "zhongliang zhang" <zhangzhongl@(protected)>
To: "Tomcat Users List" <users@(protected)>
Sent: Monday, November 05, 2007 8:16 AM
Subject: RE: [tomcat]How to decrypt the DIGEST authentication?
thanks for your replying.
Now It works if I specify the alg with "MD5",but still does not work with
"SHA".
and I do not know what does the middle field of
"zhangzhongl:JDBCRealm:secret" means,that is,the "JDBCRealm",is it a
unchangeable part?I do not think so,for the Tomcat docs give an example of
"localhost:8080",but when I changed it to that,my app does not works.
=======================
Yes that is misleading
I think its picking it up from
<realm-name>JDBCRealm</realm-name>
in the web.xml file
The example in the documentation makes one think its picking up on the
domain name... but its picking up on that setting
I think its because as convention realm-name is often the site domain name.
But that is good because I was thinking when you move it from 8080 you will
have to change all the password hashes...
Luckily not... just get this setting right now...
<realm-name>JDBCRealm</realm-name>
in the web.xml file
You guys cracked it.... well done!
=======================
And further more,the application has the functions of modifying password and
new a user,so I have to deal with the transport of these passwords,too.I
planned to user javascript to encrypt the password at these situations,is it
a way worth to try?
what about encrypting the password use javascript at the login page?is it
safe?what I am afraid is someone get the
RequestURL,username,password(encrypted),and he write an form,then he can
login to my application.Is it possible for some badguy to do this?
I know the SSL communication is the best way,while the pity is that I am not
allowed to use it.
thanks so much for helping me to solve this problem,it confused me for
couple of days.
=======================
Oops ;)
Forget about making the actual communication secure... to work up those
encryption algs in Javascript is near impossible.
But.... mmmmm thinking ;)
I think this will work.... ok
Find a MD5 alg for Javascript
The user must login and go to a secure page.... you pass up the realm-name
to the Java script
It does...
MD5(UserName,Realm,Password) and send it to your servlet.
You put it in the dB.
It doesnt stop things like replay attacks and all that stuff, but the rest
of your site is not secure anyway...
A Hash is a one way function so from that aspect, its as good as DIGEST.
ie, even if someonw see's the HASH... they still cannot guess the password..
SSL is better, but yes, this is probably as good as its going to get on an
open site.
=======================
__ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ __
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source
=wlmailtagline
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
