6 Replies Latest reply on Oct 8, 2005 11:52 AM by starksm64

DIGEST Authentication

reinerka Oct 5, 2005 8:10 PM

I'm trying to set up a server for Digest authentication. I've been working previously with the BASIC authentication and everything seems to work as expected.

All that was done is to change the web.xml to DIGEST and now I can't find anything that would get me past the authentication part.

I've been tryinig to use http-client from the Apache side (2.0.2 and 3.0-rc3) plus IE6 & Firefox with no luck.

Is there anything else I should be aware of?

The JBoss server is 4.0.2

As said. When switching to BASIC authentication everything is fine.

Thanks,
Reiner

1. Re: DIGEST Authentication

reinerka Oct 5, 2005 8:23 PM (in response to reinerka)

One more clarification to the scenario.

I'm also using DatabaseServerLoginModule where clear test passwords are stored (not encrypted).

We don't have a problem storing clear text passwords for this particular environment. But DIGEST is a requirement over the wire.

Reiner
Actions
2. Re: DIGEST Authentication

starksm64 Oct 5, 2005 8:37 PM (in response to reinerka)

You should be aware of the fact that we don't support DIGEST auth because it requires that the password be available in clear text on the server, and this is not generally possible. There has been little demand for DIGEST to date and so we have not looked into supporting it when used with a store that can return the clear text password.
Actions
3. Re: DIGEST Authentication

reinerka Oct 5, 2005 8:59 PM (in response to reinerka)

Scott,

after posting the question I've found several of your replies to that.

The problem I'm facing is that DIGEST authentication is a requirement for the application.

The password is known from the username (isn't that a really good password). So in effect there would be a custom authentication handler behind the scene.

For simple tests right now a DatabaseServerLoginModule would work that can be linked to the DIGEST authentication scheme.

If help would be needed I'm willing to contribute code to make it work. Otherwise I would be required to look into another App Server, which I'm not thrilled about.

Reiner
Actions
4. Re: DIGEST Authentication

starksm64 Oct 5, 2005 9:53 PM (in response to reinerka)
It won't be hard. Just change the following org.jboss.web.tomcat.security.JBossSecurityMgrRealm method to be similar to the others:

public Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String md5a2) { return super.authenticate(username, digest, nonce, nc, cnonce, qop, realm, md5a2); }

The trick is how to get all of the digest info into the login module. The simplest would be just to pass it in via a custom class as the credential, and subclass DatabaseServerLoginModule to deal with the custom class. A org.jboss.crypto.digest.DigestCallback has to deal with the hashing. To integrate this generically into jboss probably requires some changes to the base login modules to add a new generic jaas callback class that can be used to obtain the digest parameters.
Actions
5. Re: DIGEST Authentication

starksm64 Oct 6, 2005 12:25 PM (in response to reinerka)

I spent a little time looking at this and we should be able to add support for this in 4.0.4.
http://jira.jboss.com/jira/browse/JBAS-2338
Actions
6. Re: DIGEST Authentication

starksm64 Oct 8, 2005 11:52 AM (in response to reinerka)

This has been added to the 4.0/head branches for inclusion into 4.0.4. This includes support for storing a hashed form of the password so that clear text passwords are not needed.

http://wiki.jboss.org/wiki/Wiki.jsp?page=DIGESTAuth
Actions

Go to original post