Re: [jetty-users] "the password must be in a recoverable format"

[Guy Hillyer <jetty-users@xxxxxxxxxxxxxx>]

Hi Jan

In DigestAuthenticator.Digest.check, the code seems to be prepared for
the credentials to be a pre-calculated MD5 hash.  See the comment that
begins, "Credentials are already a MD5 digest".

Also, in the distributed sample realm.properties, there is an entry for
username "digest", with the comment "This entry is for digest auth.  The
credential is a MD5 hash of username:realm name:password".  That is
especially confusing, since an earlier comment in the same file says
that thing about "must be in a recoverable format".

All this gave me confidence to try keeping pre-calculated MD5 hashes in
my equivalent of the realm password file, and so far it seems to be
working...

  -- Guy


On 11/06/2011 09:39 PM, Jan Bartel wrote:
> Guy,
>
> With DIGEST authentication, the server has to calculate a digest using the
> info supplied in the authentication request, so the stored password has to
> be recoverable in order to be able to be used in the digest.
>
> Jan
>
> On 5 November 2011 05:29, Guy Hillyer <jetty-users@xxxxxxxxxxxxxx> wrote:
>> The javadoc for HashLoginService contains this caveat:
>>
>>    "If DIGEST Authentication is used, the password must be in a
>>    recoverable format, either plain text or OBF."
>>
>> However this doesn't appear to be true, as using an MD5 hash seems to
>> work just fine.
>>
>> The same note appears in javadoc for PropertyUserStore, and again in
>> a comment in the distributed example realm.properties file.
>>
>> I'll file a doc bug report unless someone tells me I'm off in the weeds
>> (always a possibility).
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users