jdbcDigestAuthentication仅在提供哈希时有效 [英] jdbcDigestAuthentication only works when providing the hash
问题描述
我开始设置基本身份验证的项目。我现在想切换到摘要式身份验证。问题是只有在我提供实际密码的哈希值而不是实际密码时才验证身份验证。
I started a project setting up basic authentication. I now want to switch to Digest Authentication. The problem is that the authentication is validated only if I provide the hash of the actual password, and not the actual password.
我做了以下操作从BASIC切换到DIGEST :
I did the following to switch from BASIC to DIGEST:
-
在我的web.xml中将auth-method改为DIGEST
changed in my web.xml the auth-method to DIGEST
在我的数据库中将我的JDBC Realm的JAAS上下文更改为jdbcDigestRealm
changed the JAAS context of my JDBC Realm to "jdbcDigestRealm"
我曾经将password作为密码,我改为MD5的结果(webuser:postgres:webuser)(其中webuser是登录名,webuser是密码,postgres是领域),换句话说,我将表中的密码设置为c3c2681ed07a5a2a5cb772061a8385e8。
in my db, I used to have "password" as a password, I changed in to the result of MD5(webuser:postgres:webuser) (where webuser is the login, webuser is the password, and postgres is the realm), in other words I set the password in my table to c3c2681ed07a5a2a5cb772061a8385e8.
我遇到的问题是,当我尝试访问资源时,浏览器会显示登录弹出窗口,但使用 webuser因为密码不起作用。但是,使用c3c2681ed07a5a2a5cb772061a8385e8作为密码可以正常工作。看起来我还处于BASIC身份验证模式。
The problem I have is that the login popup is displayed by the browser when I try to access the resource, but using "webuser" as the password doesn't work. However, using "c3c2681ed07a5a2a5cb772061a8385e8" as the password works. It looks like I'm still in BASIC authentication mode.
任何线索?
谢谢!
推荐答案
DIGEST auth方法与HTTP摘要式身份验证相同。它只是加密浏览器和服务器之间的通信。服务器仍然以明文形式提供密码。
The DIGEST auth-method is same as HTTP Digest Authentication. It just encrypts the communication between the browser and the server. The server still has the password in plain text.
来自 http://java.boot.by/wcd-guide/ch05s03.html :
基本身份验证和摘要身份验证之间的区别在于,在浏览器和服务器之间的
网络连接上,密码是
加密,即使在非SSL连接上也是如此。在服务器中,密码
可以以明文或加密文本存储,对于所有
登录方法都是如此,并且与应用程序
部署者的选择无关。
The difference between basic and digest authentication is that on the network connection between the browser and the server, the password is encrypted, even on a non-SSL connection. In the server, the password can be stored in clear text or encrypted text, which is true for all login methods and is independent of the choice that the application deployer makes.
您应该设置 JDBC的到 digest-algorithm 属性领域 MD5 。之后,JDBC Realm将对密码进行哈希处理。
You should set the digest-algorithm property of your JDBC Realm to MD5. After that the JDBC Realm will hash the password.
这篇关于jdbcDigestAuthentication仅在提供哈希时有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
