Lloyd,
On 12/13/24 11:47 AM, DIGLLOYD wrote:
BTW, I was able to support *both* MD5 and SHA-256 in my subclass of
org.apache.catalina.realm.RealmBase
ISSUE: org.apache.catalina.realm.RealmBas.getPassword(final String username)
affords no means to know *which* algorithm ie which digest to return.
I dealt with this by subclassing org.apache.catalina.realm.RealmBase:
1. Overriding getDigest(String username, String realmName, String algorithm)
for the algorithm, returning the appropriate digest based on the actual
algorithm.
2. getPassword(String username) never gets used because of #1.
3. Storing both MD5 and SHA-256 digests
In this way, I can support both MD5 and SHA-256. I don’t know if this was a
good idea or not, but it is working as desired.
Should org.apache.catalina.realm.RealmBase should be improved to be
getPassword(String username, String algorithm) instead of getPassword(String
username)?
No, getPassword should be returning the stored credential without
modification. It's odd that you have multiple credentials stored.
-chris
On Dec 13, 2024, at 02:23:38, Mark Thomas <ma...@apache.org> wrote:
On 13/12/2024 00:39, DIGLLOYD wrote:
ISSUE: users cannot login to my site.
CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 (Safari
uses MD5 which is working fine)
Details:
- Tomcat 9.0.98
- DIGEST auth using MD5
- has been working for 15+ years just fine.
- have read all available Tomcat docs, searched web for answers, etc.
Debugging so far:
Custom Realm in use purpose of managing auth info, but it otherwise defers to
org.apache.catalina.realm.RealmBase.
CredentialHandler: eg <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5"
/>
So you have DIGEST authentication with digested credentials.
That will work as long as DIGEST authentication uses the same digest as
the credentials. In this case: MD5.
By default, Tomcat advertises support for both SHA-256 and MD5 with
DIGEST authentication. Browsers should choose SHA-256 given those
options. To change that, you need to set the algorithms attribute for
the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5.
https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve
Note the comment in the introduction to that section.
Mark
By instrumenting this realm, I have determined the following:
- Firefox and Chrome are sending SHA-256 DIGEST to my server, which is using
MD5. Guaranteed failure since wrong digest.
- Safari is sending MD5, which works fine
- Realm uses standard
Thoughts:
I would have thought that Tomcat would be replying to a client by advertising
the correct algorithm.
Possibilities:
1. Tomcat is not properly advising the client that MD5 is required.
2. The spec is somehow deficient so that client and server do not know what is
required.
3. The clients (Firefox and Chrome) are doing it wrong.
4. Something needs to be configured that I have not configured.
Lloyd Chambers
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
