[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] "the password must be in a recoverable format"
|
Hi Jan
In DigestAuthenticator.Digest.check, the code seems to be prepared for
the credentials to be a pre-calculated MD5 hash. See the comment that
begins, "Credentials are already a MD5 digest".
Also, in the distributed sample realm.properties, there is an entry for
username "digest", with the comment "This entry is for digest auth. The
credential is a MD5 hash of username:realm name:password". That is
especially confusing, since an earlier comment in the same file says
that thing about "must be in a recoverable format".
All this gave me confidence to try keeping pre-calculated MD5 hashes in
my equivalent of the realm password file, and so far it seems to be
working...
-- Guy
On 11/06/2011 09:39 PM, Jan Bartel wrote:
> Guy,
>
> With DIGEST authentication, the server has to calculate a digest using the
> info supplied in the authentication request, so the stored password has to
> be recoverable in order to be able to be used in the digest.
>
> Jan
>
> On 5 November 2011 05:29, Guy Hillyer <jetty-users@xxxxxxxxxxxxxx> wrote:
>> The javadoc for HashLoginService contains this caveat:
>>
>> "If DIGEST Authentication is used, the password must be in a
>> recoverable format, either plain text or OBF."
>>
>> However this doesn't appear to be true, as using an MD5 hash seems to
>> work just fine.
>>
>> The same note appears in javadoc for PropertyUserStore, and again in
>> a comment in the distributed example realm.properties file.
>>
>> I'll file a doc bug report unless someone tells me I'm off in the weeds
>> (always a possibility).
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users