Maybe it's a bit late for this, however here it goes; incorporate it if you
like:
I've added support for DIGEST authentication scheme to Tomcat 3.3.
I was able to successfully test it with Opera 5.12 browser WHEN Tomcat
didn't return an Authentication-info header on successful authentication.
Authentication-info header confused the Opera, but that's a bug in Opera I
have reported to their developers. In the code I'm submitting here, Tomcat
outputs Authentication-info headers (since it uses one-time nonces to avoid
replay attacks). This means Opera chokes on it, but to be fair -- I didn't
want to omit Authentication-info just in order to work around a bug in a
browser. My primary goal is to have DIGEST available for use with WebDAV, so
I don't care that much for temporary problems with buggy browsers. (Speaking
of buggy browsers, I've also attempted to test it with IE 5.5 on several
machines, but it didn't work. For the record, this IE 5.5 also didn't work
when recieved a DIGEST authentication challenge from an Apache 3.17 server,
while Opera worked nicely with both my tweaked Tomcat and that counter-test
Apache server.)
Of existing classes, I only had to modify RealmBase and AccessInterceptor in
org.apache.tomcat.modules.aaa. The changes do not affect functionality when
the WEB-INF/web.xml explicitly does not require DIGEST, so I'm willing to
bet my credibility as a software developer it does not break anything
backwards. I also added three new classes: DigestAuthentication,
DigestAuthenticationFactory, and DigestChallenge.
Also, I think that the class BasicAuthHandler in AccessInterceptor.java has
some really messy way of generating output; it uses a StringBuffer stored in
a request note and regenerates the (constant!) output each time. I've done
it as I feel it should be done in my DigestAuthHandler. If someone is
inclined, take a look at it and fix BasicAuthHandler.
Cheers,
Attila.
aaa-digest.zip
