Re: [tomcat]How to decrypt the DIGEST authentication?

Sun, 04 Nov 2007 21:02:57 -0800 


---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---------------------------------------------------------------------------
----- Original Message ----- From: "Mark Thomas" <[EMAIL PROTECTED]> 
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, November 04, 2007 8:24 PM
Subject: Re: [tomcat]How to decrypt the DIGEST authentication?



Mark Thomas wrote:

Johnny Kewl wrote:

I dont think you can do what you want to...
I dont think you can use web based DIGEST authentication.
And then hide passwords in a MD5 digest as well.


Yes you can.


I think web based DIGEST authentication, MUST get at the plain text
password.


No.


That process has to be repeated on the server, and SHA(Password) + plus
some random stuff NOT EQUAL to browser...
I think it has to be a plain text password... unless TC does something
unbelievable...


Not unbelievable. Just plain cold logic. The use of DIGEST auth and
digested passwords are 100% independent.


Sorry. I mis-spoke. They are not totally independent. If you use DIGEST
auth *and* digested passwords then you have to calculate the password to
put in your tomcat-users.xml/database/etc differently. See
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords
for details.


No Problem... I'm surprized it can even be done...
The digest spec has random vectors, so it means TC is using domain and username as those. 
--------------
If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword. 
---------------
I was wrong... it can be done ;)







Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to