|Summary:||Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in uppercase.|
|Product:||Tomcat 7||Reporter:||Neale Rudd <neale>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval|
Description Neale Rudd 2012-03-21 04:39:32 UTC
Created attachment 28487 [details] patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in uppercase. This is not a problem if the hashes are generated by CATALINA/bin/digest.sh, but if they are prepared with other software which generate uppercase hex strings for hashes, it can be very confusing trying to figure out why digest authentication is not working. The other hash comparisons use equalsIgnoreCase() to compare the hashes, but the digest version of RealmBase.authenticate() prepares the serverDigestValue by taking the Principal's hash (as is) and prepending it to the nonce and other digest fields, and then rehashing. As a result, the final hash serverDigest is not the same as the clientDigest value that comes from the browser. To test, change an MD5 DIGEST hash to upper case and attempt to authenticate. The provided one-line patch against the current 8.0.0-dev trunk simply uses toLowerCase on the retrieved server-side hash. Best Regards, Neale Rudd
Comment 1 Mark Thomas 2012-03-21 10:03:57 UTC
Thanks for the report and the patch. A slightly modified version has been applied to trunk and 7.0.x and will be included in 7.0.27 onwards.