-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Etienne,
On 1/28/2011 7:59 AM, Ing. Etienne V. Depasquale wrote: > Yes, I am using DIGEST authentication. > > But what about the www-authenticate HTTP/1.1 header that Tomcat sends over > to the browser? Is it ignored by any browser, simply defaulting to MD5? I'm sorry, I misspoke. You're right: there is a way for the server to tell the client what kind of digest algorithm to use, but there is no /negotiation/: the server can't give the client a choice, and the client can't tell the server what algorithm it chose. The spec only defines MD5 as the default (and only choice for) algorithm so web browsers have only implemented MD5. If you can demonstrate that a web browser will use SHA-1 (which is, by the way, also a useless algorithm like MD5 these days), I'd be very happy to see it. I'm guessing that Firefox and Google Chrome are the only candidates for that kind of thing. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1C1I0ACgkQ9CaO5/Lv0PBo2wCeM8GswwNUimW/aQ2bJ/O4vOoW zooAn0uQTcu8D8gbb8TRklc0bmlvUXHl =Wong -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
