BTW, I was able to support *both* MD5 and SHA-256 in my subclass of org.apache.catalina.realm.RealmBase
ISSUE: org.apache.catalina.realm.RealmBas.getPassword(final String username) affords no means to know *which* algorithm ie which digest to return. I dealt with this by subclassing org.apache.catalina.realm.RealmBase: 1. Overriding getDigest(String username, String realmName, String algorithm) for the algorithm, returning the appropriate digest based on the actual algorithm. 2. getPassword(String username) never gets used because of #1. 3. Storing both MD5 and SHA-256 digests In this way, I can support both MD5 and SHA-256. I don’t know if this was a good idea or not, but it is working as desired. Should org.apache.catalina.realm.RealmBase should be improved to be getPassword(String username, String algorithm) instead of getPassword(String username)? Lloyd > On Dec 13, 2024, at 02:23:38, Mark Thomas <ma...@apache.org> wrote: > > On 13/12/2024 00:39, DIGLLOYD wrote: >> ISSUE: users cannot login to my site. >> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 >> (Safari uses MD5 which is working fine) >> >> Details: >> - Tomcat 9.0.98 >> - DIGEST auth using MD5 >> - has been working for 15+ years just fine. >> - have read all available Tomcat docs, searched web for answers, etc. >> >> Debugging so far: >> >> Custom Realm in use purpose of managing auth info, but it otherwise defers >> to org.apache.catalina.realm.RealmBase. >> CredentialHandler: eg <CredentialHandler >> className="org.apache.catalina.realm.MessageDigestCredentialHandler" >> algorithm="MD5" /> > > So you have DIGEST authentication with digested credentials. > > That will work as long as DIGEST authentication uses the same digest as > the credentials. In this case: MD5. > > By default, Tomcat advertises support for both SHA-256 and MD5 with > DIGEST authentication. Browsers should choose SHA-256 given those > options. To change that, you need to set the algorithms attribute for > the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5. > > https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve > > Note the comment in the introduction to that section. > > Mark > > >> >> By instrumenting this realm, I have determined the following: >> >> - Firefox and Chrome are sending SHA-256 DIGEST to my server, which is >> using MD5. Guaranteed failure since wrong digest. >> - Safari is sending MD5, which works fine >> - Realm uses standard >> >> Thoughts: >> >> I would have thought that Tomcat would be replying to a client by >> advertising the correct algorithm. >> >> Possibilities: >> 1. Tomcat is not properly advising the client that MD5 is required. >> 2. The spec is somehow deficient so that client and server do not know what >> is required. >> 3. The clients (Firefox and Chrome) are doing it wrong. >> 4. Something needs to be configured that I have not configured. >> >> Lloyd Chambers >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
