-
1. Re: DIGEST Authentication
reinerka Oct 5, 2005 8:23 PM (in response to reinerka)One more clarification to the scenario.
I'm also using DatabaseServerLoginModule where clear test passwords are stored (not encrypted).
We don't have a problem storing clear text passwords for this particular environment. But DIGEST is a requirement over the wire.
Reiner -
2. Re: DIGEST Authentication
starksm64 Oct 5, 2005 8:37 PM (in response to reinerka)You should be aware of the fact that we don't support DIGEST auth because it requires that the password be available in clear text on the server, and this is not generally possible. There has been little demand for DIGEST to date and so we have not looked into supporting it when used with a store that can return the clear text password.
-
3. Re: DIGEST Authentication
reinerka Oct 5, 2005 8:59 PM (in response to reinerka)Scott,
after posting the question I've found several of your replies to that.
The problem I'm facing is that DIGEST authentication is a requirement for the application.
The password is known from the username (isn't that a really good password). So in effect there would be a custom authentication handler behind the scene.
For simple tests right now a DatabaseServerLoginModule would work that can be linked to the DIGEST authentication scheme.
If help would be needed I'm willing to contribute code to make it work. Otherwise I would be required to look into another App Server, which I'm not thrilled about.
Reiner -
4. Re: DIGEST Authentication
starksm64 Oct 5, 2005 9:53 PM (in response to reinerka)It won't be hard. Just change the following org.jboss.web.tomcat.security.JBossSecurityMgrRealm method to be similar to the others:
public Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String md5a2) { return super.authenticate(username, digest, nonce, nc, cnonce, qop, realm, md5a2); }
The trick is how to get all of the digest info into the login module. The simplest would be just to pass it in via a custom class as the credential, and subclass DatabaseServerLoginModule to deal with the custom class. A org.jboss.crypto.digest.DigestCallback has to deal with the hashing. To integrate this generically into jboss probably requires some changes to the base login modules to add a new generic jaas callback class that can be used to obtain the digest parameters. -
5. Re: DIGEST Authentication
starksm64 Oct 6, 2005 12:25 PM (in response to reinerka)I spent a little time looking at this and we should be able to add support for this in 4.0.4.
http://jira.jboss.com/jira/browse/JBAS-2338 -
6. Re: DIGEST Authentication
starksm64 Oct 8, 2005 11:52 AM (in response to reinerka)This has been added to the 4.0/head branches for inclusion into 4.0.4. This includes support for storing a hashed form of the password so that clear text passwords are not needed.
http://wiki.jboss.org/wiki/Wiki.jsp?page=DIGESTAuth