6 Replies Latest reply on Oct 8, 2005 11:52 AM by Scott Stark

    DIGEST Authentication

    Reiner Kappenberger Newbie

      I'm trying to set up a server for Digest authentication. I've been working previously with the BASIC authentication and everything seems to work as expected.

      All that was done is to change the web.xml to DIGEST and now I can't find anything that would get me past the authentication part.

      I've been tryinig to use http-client from the Apache side (2.0.2 and 3.0-rc3) plus IE6 & Firefox with no luck.

      Is there anything else I should be aware of?

      The JBoss server is 4.0.2

      As said. When switching to BASIC authentication everything is fine.

      Thanks,
      Reiner

        • 1. Re: DIGEST Authentication
          Reiner Kappenberger Newbie

          One more clarification to the scenario.

          I'm also using DatabaseServerLoginModule where clear test passwords are stored (not encrypted).

          We don't have a problem storing clear text passwords for this particular environment. But DIGEST is a requirement over the wire.

          Reiner

          • 2. Re: DIGEST Authentication
            Scott Stark Master

            You should be aware of the fact that we don't support DIGEST auth because it requires that the password be available in clear text on the server, and this is not generally possible. There has been little demand for DIGEST to date and so we have not looked into supporting it when used with a store that can return the clear text password.

            • 3. Re: DIGEST Authentication
              Reiner Kappenberger Newbie

              Scott,

              after posting the question I've found several of your replies to that.

              The problem I'm facing is that DIGEST authentication is a requirement for the application.

              The password is known from the username (isn't that a really good password). So in effect there would be a custom authentication handler behind the scene.

              For simple tests right now a DatabaseServerLoginModule would work that can be linked to the DIGEST authentication scheme.

              If help would be needed I'm willing to contribute code to make it work. Otherwise I would be required to look into another App Server, which I'm not thrilled about.

              Reiner

              • 4. Re: DIGEST Authentication
                Scott Stark Master

                It won't be hard. Just change the following org.jboss.web.tomcat.security.JBossSecurityMgrRealm method to be similar to the others:

                 public Principal authenticate(String username, String digest, String nonce,
                 String nc, String cnonce, String qop, String realm, String md5a2)
                 {
                 return super.authenticate(username, digest, nonce,
                 nc, cnonce, qop, realm, md5a2);
                 }
                


                The trick is how to get all of the digest info into the login module. The simplest would be just to pass it in via a custom class as the credential, and subclass DatabaseServerLoginModule to deal with the custom class. A org.jboss.crypto.digest.DigestCallback has to deal with the hashing. To integrate this generically into jboss probably requires some changes to the base login modules to add a new generic jaas callback class that can be used to obtain the digest parameters.

                • 5. Re: DIGEST Authentication
                  Scott Stark Master

                  I spent a little time looking at this and we should be able to add support for this in 4.0.4.
                  http://jira.jboss.com/jira/browse/JBAS-2338

                  • 6. Re: DIGEST Authentication
                    Scott Stark Master

                    This has been added to the 4.0/head branches for inclusion into 4.0.4. This includes support for storing a hashed form of the password so that clear text passwords are not needed.

                    http://wiki.jboss.org/wiki/Wiki.jsp?page=DIGESTAuth