https://issues.apache.org/bugzilla/show_bug.cgi?id=52953
Bug #: 52953
Summary: Unlike BASIC Authentication, DIGEST mode does not work
if the hash is stored in uppercase.
Product: Tomcat 7
Version: trunk
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: ne...@metawerx.net
Classification: Unclassified
Created attachment 28487
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28487
patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval
Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in
uppercase.
This is not a problem if the hashes are generated by CATALINA/bin/digest.sh,
but if they are prepared with other software which generate uppercase hex
strings for hashes, it can be very confusing trying to figure out why digest
authentication is not working.
The other hash comparisons use equalsIgnoreCase() to compare the hashes, but
the digest version of RealmBase.authenticate() prepares the serverDigestValue
by taking the Principal's hash (as is) and prepending it to the nonce and other
digest fields, and then rehashing.
As a result, the final hash serverDigest is not the same as the clientDigest
value that comes from the browser.
To test, change an MD5 DIGEST hash to upper case and attempt to authenticate.
The provided one-line patch against the current 8.0.0-dev trunk simply uses
toLowerCase on the retrieved server-side hash.
Best Regards,
Neale Rudd
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
