What symptoms do you get? I just tried to change from BASIC to DIGEST and everything looks good when it comes up - it just doesn't work. I just get an error indicating that the application doesn't exist. But I can see everything on the console and in the log.

Sorry my reply got cut short.
With JBOSS/JETTY (jboss-3.2.2RC2_jetty-4.2.11) I get BASIC to work but it has the problem that you do not get a 403 message if you try to access a protected URL without the required role (it pops up a new login screen).
DIGEST doesn't work - it just pretends the application isn't there although it looks like it comes up OK on the server.
FORM works but has a very strange side effect - it changes the Principal assigned as user principal. I set up a CallerPrincipal (org.jboss.security.SimplePrincipal) and it uses this, whereas with BASIC it uses the first user Principal that I defined (com.tagish.auth.win32.typed.NTUserPrincipal). No idea why this happens. It could be to do with the way Jetty manages threads when it starts up a Form.
BASIC doesn't work at all with JBOSS/Tomcat (jboss-3.2.1_tomcat-4.1.24).
My preference would be to use DIGEST - if somebody knows how to get this to work please let me know!
Jim Brady

I have been looking at the source and I wonder if this is as simple as adding code such as:

// Find out the Authenticator. ...

else if (SecurityConstraint.__DIGEST_AUTH.equalsIgnoreCase(_authMethod))
getHttpContext().setAuthenticator(new DigestAuthenticator());

to org.mortbay.http.handler.SecurityHandler

JBOSS (Scott Stark over to you).

I will try security in some of the new releases - maybe Tomcat is working now - I know that some changes have been made. I find it hard to understand why this is all so difficult. I would have thought security was a HIGH priority. I'm writing a real world application here not a toy!

Tomcat works now (Release Candidate 3.2.2RC4).

Hi,
I'm sorry but this is a very general question, so I'm not exactly sure how to answer it. I mean that the latest release (3.2.2RC4) of JBoss-Tomcat works with Digest authentication, just as the I got Basic (not Digest) to work with JBoss 3.2.2RC2 with Jetty. I didn't change the application - just installed it on the new release. With JBoss-Tomcat (3.2.1) I couldn't get even Basic Authentication to be invoked at all. I always wanted to use Digest Authentication so I'm pleased. Digest doesn't work with JBoss-Jetty (it does work with Jetty) and it is not clear that it will be fixed soon. I am not keen on changing JBoss myself because of the complexity of the product and the problems this could cause for upgrades.
Jim Brady

Sorry the JBoss-Tomcat release that didn't work should read 3.2.2RC1.
Jim Brady

Hi,
I retested this and now DIGEST does not work (BASIC does). I suspect that some TOMCAT specific configuration is required. I wonder if what happened was that the server picked up userid/password that were stored by form based when I changed to test DIGEST.
Jim Brady

Did anyone get DIGEST authentication working?

i'm currently using
jboss 3.2.3
jdk 1.4.2

BASIC works fine, but DIGEST never invokes my login module... any additional info would be great.