I started a project setting up basic authentication. I now want to switch to Digest Authentication. The problem is that the authentication is validated only if I provide the hash of the actual password, and not the actual password.
I did the following to switch from BASIC to DIGEST:
-
changed in my web.xml the auth-method to DIGEST
-
changed the JAAS context of my JDBC Realm to “jdbcDigestRealm”
-
in my db, I used to have “password” as a password, I changed in to the result of MD5(webuser:postgres:webuser) (where webuser is the login, webuser is the password, and postgres is the realm), in other words I set the password in my table to c3c2681ed07a5a2a5cb772061a8385e8.
The problem I have is that the login popup is displayed by the browser when I try to access the resource, but using “webuser” as the password doesn’t work. However, using “c3c2681ed07a5a2a5cb772061a8385e8” as the password works. It looks like I’m still in BASIC authentication mode.
Any clue ?
Thank you !
The DIGEST auth-method is same as HTTP Digest Authentication. It just encrypts the communication between the browser and the server. The server still has the password in plain text.
From http://java.boot.by/wcd-guide/ch05s03.html:
You should set the
digest-algorithmproperty of yourJDBC RealmtoMD5. After that the JDBC Realm will hash the password.