Bug 19767 - Digest authentication doesn't work with JDBCRealm
Summary: Digest authentication doesn't work with JDBCRealm
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 4
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 4.1.24
Hardware: PC All
: P3 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 4352 17908 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-05-08 15:21 UTC by Giovanni
Modified: 2004-11-27 10:31 UTC (History)
3 users (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Giovanni 2003-05-08 15:21:52 UTC 
PROBLEM

Configuring <auth-method>DIGEST</auth-method> for a web application using 
JDBCRealm doesn't work.
Is not possible to authenticate users.


ANALYSIS

Debugging source code of org.apache.catalina.realm.JDBCRealm class I noticed:

1) the method
authenticate(String username, String clientDigest,
             String nOnce, String nc, String cnonce,
             String qop, String realm,
             String md5a2)
of the class org.apache.catalina.realm.RealmBase
calculates the md5a1 value calling the method
getDigest(String username, String realmName)
of the same class

2) the method
getDigest(String username, String realmName)
calculates the md5a1 value getting the user password from the method
getPassword(String username)
of the org.apache.catalina.realm.JDBCRealm class

In this algorithm there are two problems:
- getPassword() must return the cleartext password, so you have to save it 
somewhere in clear
- at the moment getPassword() is not implemented and always returns null

3) if you implement getPassword(), the method authenticate() still returns null 
because it tries to get the Principal calling the method
getPrincipal(String username)
of the org.apache.catalina.realm.JDBCRealm class
but at the moment this method is not implemented and always returns null


SOLUTION

I think there are two main things to solve:
- implement getPassword() and getPrincipal() in the JDBCRealm class
- provide the possibility to save on the DB not the cleartext password but the 
md5a1 value
(the md5a1 value is the digest of the following string: username + realmname + 
password)


COMMENTS

At the end you should decide to use 4 different configurations:
1) <auth-method>BASIC and DB with cleartext pwd (working)
2) <auth-method>BASIC and DB with digest of pwd (working)
Main limits of this solution are:
. password sent in clear on the network
. on the DB : if pwdA = pwdB then digestA = digestB
3) <auth-method>DIGEST and DB with cleartext pwd (not working)
. you have only to implement getPassword() and getPrincipal in class 
org.apache.catalina.realm.JDBCRealm
4) <auth-method>DIGEST and DB with md5a1 (not working)
. you have to modify the getDigest() method in class 
org.apache.catalina.realm.RealmBase providing the chance to get this value 
directly from the DB


Bye
  Giovanni
Comment 1 Tim Funk 2003-08-25 23:37:02 UTC 
*** Bug 17908 has been marked as a duplicate of this bug. ***
Comment 2 Mark Thomas 2004-09-12 22:08:27 UTC 
*** Bug 4352 has been marked as a duplicate of this bug. ***
Comment 3 Mark Thomas 2004-11-27 19:31:14 UTC 
Fixed in CVS.