How to produce the hashed password when using auth-method DIGEST ?

Everything works with cleartext passwords using the following login- config in web.xml:

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>DIGLLOYD.COM</realm-name>
    </login-config>

and in context.xml:

<Realm className="org.apache.catalina.realm.JDBCRealm" connectionName="test" connectionPassword="test123" connectionURL="jdbc:mysql:// localhost/test"
        driverName="com.mysql.jdbc.Driver"
userTable="UserAuth" userNameCol="username" userCredCol="password"
        userRoleTable="UserRole" roleNameCol="role"  />

Now I want to add attribute digest="SHA" to the <Realm> above. What value to insert for the password in the database? Following the Tomcat 6 docs, I tried inserting the value produced by the following:

String credentials = username + ":" + "DIGLLOYD.COM" + ":" + password;
org.apache.catalina.realm.RealmBase.Digest( credentials, "SHA", null);

(http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html)

I've verified that the DB contains the hash values produced by Digest().

It isn't working; all attempts to login fail.

Help is greatly appreciated.

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]




On Apr 22, 2008, at 9:37 AM, Mark Thomas wrote:

DIGLLOYD INC wrote:
Is the realm the <realm-name> specified in the <login-config> in web.xml? (eg "Tomcat Manager Application")
Yes.

(link above) suggest "localhost:80" might be the realm, but that makes no sense to me, as this would tie it to a specific port.
That is the default you get if you don't specify one.

The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is in conflict with the above documentation, making no mention of digesting with the username and realm. The book suggest doing:
bin/digest.sh -a MD5 user-password
As does the docs. This is for digested passwords with BASIC or FORM auth.

But the tomcat 6 docs referenced above suggest doing:
bin/digest.sh -a MD5 username:realm-name:password
This is for digested passwords with DIGEST auth.

--obviously very different approaches!
Because they have different uses.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to