10 Replies Latest reply on Jan 5, 2004 12:09 PM by Eric Van

    HTTP DIGEST authentication

    doomsday Newbie

      Hi folks,

      I am pretty new to JBoss, so please forgive me this maybe silly newbie question:

      Goal:
      Restrict access to an application by HTTP DIGEST authentication.

      Environment:
      - JBoss server 3.2.2 (out of the box as downloaded from this site)
      - MS SQL Server 2000
      - datasource properly configured (it works, see below)
      - simple application which lists some environmet stuff.
      - login-config.xml (relevant snippet as attachment)
      - web.xml (see attachment)
      - jboss-web.xml (see attachment)

      Outcome:
      The HTTP Digest authentication does not work - I cannot log in. But when I change from DIGEST to BASIC in web.xml, everything works just as I want it to work.
      I tested with Mozilla Firebird 0.7 and Internet Explorer 6, both with the same results.

      One glitch in the server.log file: If deploying hte sample app (configured for BASIC auth) the server nags to me with the warning that I cannot set a delegate to a certain loader (see attachment for details).


      Any help is greatly appreciated!

        • 1. Re: HTTP FORM authentication
          jimbrady Newbie

          What symptoms do you get? I just tried to change from BASIC to DIGEST and everything looks good when it comes up - it just doesn't work. I just get an error indicating that the application doesn't exist. But I can see everything on the console and in the log.

          • 2. Re: HTTP FORM authentication
            jimbrady Newbie

            Sorry my reply got cut short.
            With JBOSS/JETTY (jboss-3.2.2RC2_jetty-4.2.11) I get BASIC to work but it has the problem that you do not get a 403 message if you try to access a protected URL without the required role (it pops up a new login screen).
            DIGEST doesn't work - it just pretends the application isn't there although it looks like it comes up OK on the server.
            FORM works but has a very strange side effect - it changes the Principal assigned as user principal. I set up a CallerPrincipal (org.jboss.security.SimplePrincipal) and it uses this, whereas with BASIC it uses the first user Principal that I defined (com.tagish.auth.win32.typed.NTUserPrincipal). No idea why this happens. It could be to do with the way Jetty manages threads when it starts up a Form.
            BASIC doesn't work at all with JBOSS/Tomcat (jboss-3.2.1_tomcat-4.1.24).
            My preference would be to use DIGEST - if somebody knows how to get this to work please let me know!
            Jim Brady

            • 3. Re: HTTP DIGEST authentication
              jimbrady Newbie

              I have been looking at the source and I wonder if this is as simple as adding code such as:

              // Find out the Authenticator. ...

              else if (SecurityConstraint.__DIGEST_AUTH.equalsIgnoreCase(_authMethod))
              getHttpContext().setAuthenticator(new DigestAuthenticator());

              to org.mortbay.http.handler.SecurityHandler

              JBOSS (Scott Stark over to you).

              I will try security in some of the new releases - maybe Tomcat is working now - I know that some changes have been made. I find it hard to understand why this is all so difficult. I would have thought security was a HIGH priority. I'm writing a real world application here not a toy!

              • 4. Re: HTTP DIGEST authentication
                jimbrady Newbie

                Tomcat works now (Release Candidate 3.2.2RC4).

                • 5. Re: HTTP DIGEST authentication
                  doomsday Newbie

                  Hi,

                  how did hou get it to work?

                  Cheers,
                  Doomsday

                  • 6. Re: HTTP DIGEST authentication
                    jimbrady Newbie

                    Hi,
                    I'm sorry but this is a very general question, so I'm not exactly sure how to answer it. I mean that the latest release (3.2.2RC4) of JBoss-Tomcat works with Digest authentication, just as the I got Basic (not Digest) to work with JBoss 3.2.2RC2 with Jetty. I didn't change the application - just installed it on the new release. With JBoss-Tomcat (3.2.1) I couldn't get even Basic Authentication to be invoked at all. I always wanted to use Digest Authentication so I'm pleased. Digest doesn't work with JBoss-Jetty (it does work with Jetty) and it is not clear that it will be fixed soon. I am not keen on changing JBoss myself because of the complexity of the product and the problems this could cause for upgrades.
                    Jim Brady

                    • 7. Re: HTTP DIGEST authentication
                      jimbrady Newbie

                      Sorry the JBoss-Tomcat release that didn't work should read 3.2.2RC1.
                      Jim Brady

                      • 8. Re: HTTP DIGEST authentication
                        jimbrady Newbie

                        Hi,
                        I retested this and now DIGEST does not work (BASIC does). I suspect that some TOMCAT specific configuration is required. I wonder if what happened was that the server picked up userid/password that were stored by form based when I changed to test DIGEST.
                        Jim Brady

                        • 9. Re: HTTP DIGEST authentication
                          doomsday Newbie

                          Hi Jim,

                          thanks for your info and research work.
                          It matches what I encountered so far - DIGEST auth with JBoss/Tomcat in JBoss release 3.2.2 does not work.

                          Cheers,
                          Michel

                          • 10. Re: HTTP DIGEST authentication
                            Eric Van Newbie

                            Did anyone get DIGEST authentication working?

                            i'm currently using
                            jboss 3.2.3
                            jdk 1.4.2

                            BASIC works fine, but DIGEST never invokes my login module... any additional info would be great.