Bug 52515 - Digest auth specifically requires digested passwords to hashed with MD5
Summary: Digest auth specifically requires digested passwords to hashed with MD5
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Documentation (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-24 11:27 UTC by David Powell
Modified: 2012-06-09 01:49 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Powell 2012-01-24 11:27:38 UTC
Re:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords


The documentation says:

"If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}."


The documentation does not mention the fact that when using HTTP Digest Auth with digested passwords, you MUST use the MD5 algorithm to digest the passwords.

When the authentication is performed, the digest algorithm specified for the realm is ignored, and MD5 is always used, so if SHA has been used, authentication will fail.


(Would it be appropriate to log a warning if it is detected that Digest Auth is being used and the Realm's digest algorithm is something other than MD5...?)

-- 
Dave
Comment 1 David Powell 2012-01-24 11:30:37 UTC
Suggest changing the first sentence to something like:

If using digested passwords with DIGEST authentication, the MD5 algorithm must be used for the message digest; additionally, the cleartext used to generate the digest is different.

-- 
Dave
Comment 2 Mark Thomas 2012-01-27 22:55:05 UTC
Fixed in trunk and 7.0.x and will be included in 7.0.26 onwards.

I used slightly different wording since the important part - in my view - is that the plain text is different.
Comment 3 Konstantin Kolinko 2012-06-09 01:49:50 UTC
Clarification added to 6.0 docs as well, will be in 6.0.36.