Jie,
The problem is that the Digest authentication mechanism needs the server to have
a copy of the password in the clear - so it can regenerate the MD5 hash of the
digest nonce etc.
If you store the password as a MD5 hash, then the plain text password cannot
be recovered to run the Digest hash algorithm.
Try using a realm that stores the password as plain text - yes this is a
security problem - but not of Jetty's making!
cheers
Jie Ren wrote:
I have a problem in using digest authentication in Jetty (5.0.RC3). Here is
what is done.
1) I modify the web.xml under jetty-5.0.RC3\demo\webapps\jetty\WEB-INF so it
uses Digest Authentication instead of Basic authentication:
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Jetty Demo Realm</realm-name>
</login-config>
-->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Jetty Demo Realm</realm-name>
</login-config>
2) I start the demo app using "java -jar start.jar etc\demo.xml" on a
Windows XP Home machine.
3) I use IE 6 to click the "http://localhost:8080/jetty/auth/"; URL in the
http://localhost:8080/jetty/demoWebApps.html demo page.
4) After entering "jetty/jetty" for the password/username, the same dialog
reappears.
Here is what I see on the console:
08:48:25.100 WARN!! [Listener-4]
org.mortbay.util.Credential$MD5.check(Credentia
l.java:142) >19> Can't check class
org.mortbay.http.DigestAuthenticator$Digest a
gainst MD5
08:48:25.100 WARN!! [Listener-4]
org.mortbay.http.DigestAuthenticator.authentica
te(DigestAuthenticator.java:124) >16> AUTH FAILURE: user jetty
08:48:28.474 WARN!! [Listener-3]
org.mortbay.util.Credential$MD5.check(Credentia
l.java:142) >19> Can't check class
org.mortbay.http.DigestAuthenticator$Digest a
gainst MD5
08:48:28.484 WARN!! [Listener-3]
org.mortbay.http.DigestAuthenticator.authentica
te(DigestAuthenticator.java:124) >16> AUTH FAILURE: user jetty
6) FireFox 0.9.3 encounter the same problem. Using Jetty 4.2.22 has no luck.
7) When I look at the code in DigestAuthenticator.java (package
org.mortbay.http), at line 64, a Digest object is created
Digest digest=new Digest(request.getMethod());.
After filling it with information from the request,
else if ("response".equalsIgnoreCase(name))
digest.response=tok;
The Digest object is passed for authentication at line 110.
user = realm.authenticate(digest.username,digest,request);
However, after several more calls, at line 129 of Credentials.java (package
org.mortbay.util), the class MD5 needs a String or a Password,
if (credentials instanceof Password ||
credentials instanceof String)
...
else
log.warn("Can't check "+credentials.getClass()+" against MD5");
Here is where the authentication failure occurs. It seems a Digest is passed
over to where a String/Password is needed.
Is this a problem? Or did I miss something here? The mailist archive does
say digest authentication works.
Regards,
Jie Ren
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
| 