Problems using DIGEST with /waffle-jaas

Aug 21, 2010 at 10:55 AM

Hi All,

I've configured the "samples\waffle-jaas" webapp as per the instructions provided.

When I use BASIC authintecation:

    <realm-name>Jaas Basic</realm-name>

everything works fine.

As soon as I change it to DIGEST and re-start Tomcat:

    <realm-name>Jaas Digest</realm-name>

I can only login as a "Guest" - i.e. if I specify a valid accont authentication fails, but for an invalid login I get "Your user principal name is HOMEPC\Guest".

What am I missing ?



Aug 21, 2010 at 12:20 PM

You're not missing anything, except that it's not implemented (feature request here). Digest authentication doesn't send the password to the server, it's more similar to NTLM than to BASIC. I couldn't get it to work with the Microsoft SSP.

Aug 23, 2010 at 2:36 PM

Thanks dblock,

I'm happy to use "Waffle Filter" technology, but I am missing "Realm Description" in the "Browser Login Prompt".

That is, if I use Firefox I get:

1) for "waffle-jaas" - Enter username and password for "Jaas Digest" at http://HOMEPC:8080

2) for "waffle-filter" - Enter username and password for "" at http://HOMEPC:8080

If I use Safari I get:

1) for "waffle-jaas" - To view this page, you must log in to this area on HOMEPC:8080:  "Jaas Digest". Your login information will be sent securely

2) for "waffle-filter" - To view this page, you must log in to area "HOMEPC" on HOMEPC:8080. Your login information will be sent securely

I noticed that you send "WWW-Authenticate: Negotiate" and "WWW-Authenticate: NTLM" headers when filtering.

Digest Authentication sends "WWW-Authenticate: Digest realm='Jaas Digest',....".

Would the same "realm description" logic work for your filter ?

If yes, can I achieve it using existing Tomcat tags or I need to change your program to accept 1 more parameter ?



Aug 23, 2010 at 5:39 PM

I still don't understand what this has to do with Digest. Digest is not implemented with Waffle and Waffle doesn't send WWW-Authenticate: Digest ever (it sends WWW-Authenticate: Negotiate and NTLM). So you're using someone else's digest provider?

Aug 24, 2010 at 12:21 AM

"WWW-Authenticate: Digest realm='Jaas Digest',....". is sent by Tomcat when I use your "waffle-jaas" sample.

I would like your "waffle-filter" sample to send "WWW-Authenticate: Negotiate realm='Waffle Filter Zone'" header - I suggest 1 more parameter inside <filter> tag:

      <param-value>Waffle Filter Zone</param-value>

but I don't know for sure whether Browser will present me with expected dialog.

Aug 24, 2010 at 1:58 AM
Edited Aug 24, 2010 at 1:58 AM

You're confused. Negotiate is a protocol that chooses NTLM or Kerberos. These protocols don't have any dialogs since they don't require a username or password.