Can we get Digest Authentication with TOMCAT 7

Hi Tomcat Team,

I am using a Tomcat based webserver container for our web application. All
the deplyoment and other task taken care using TOMCAT 7.10.105.

Currently we are using the BASIC Authentication for the Manager and tomcat
web application.
Can we migrate and use DIGEST Authentication for the same ?  What are the
suggested and recommended way to implement and using DIGEST Authentication
with TOMCAT 7 web applications?

Your valuable assistance is much appreciated.

Regards,
Ravi

On 13/01/2021 09:36, Ravi Kumar wrote:
> Hi Tomcat Team,
>
> I am using a Tomcat based webserver container for our web application. All
> the deplyoment and other task taken care using TOMCAT 7.10.105.

Tomcat 7.0.x will reach end of life on 31 March 2021.

> Currently we are using the BASIC Authentication for the Manager and tomcat
> web application.
> Can we migrate and use DIGEST Authentication for the same ?

Yes.

> What are the
> suggested and recommended way to implement and using DIGEST Authentication
> with TOMCAT 7 web applications?

Simply replace "<auth-method>BASIC</auth-method>" in the application's
web.xml file with "<auth-method>DIGEST</auth-method>"

> Your valuable assistance is much appreciated.

If you are storing passwords in digest form note the following:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords

Generally, you are better off switching from BASIC+http to BASIC+https
rather than DIGEST+http. If you are already using BASIC+https then
switching to DIGEST+https is unlikely to gain you anything.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Mark and Ravi,

On 1/13/21 04:59, Mark Thomas wrote:
+1

> If you are already using BASIC+https then
> switching to DIGEST+https is unlikely to gain you anything.

Switching to HTTP DIGEST authentication is a net loss in security
because the passwords must be stored insecurely.

Please note that there can be confusion between HTTP DIGEST
authentication (which is an authentication scheme) and using "digested"
(aka hashed) passwords in your password database. HTTP DIGEST precludes
the use of (properly) digested passwords in your database, and digested
(hashed) passwords in your password database is a Best Practice.

With HTTP DIGEST authentication, the server must have access to the
value of MD5(username:realm:password). This can either be done by
storing the password in plaintext (insecure!) or storing the value of
MD5(username:realm:password) which is also insecure.

MD5(username:realm:password) is insecure because the MD5 hashing
algorithm is considered weak and also both the username and realm name
will be known to any potential attacker.

Note that this criticism is not against HTTP DIGEST authentication
itself, as the communication of the credential material can be
considered secure even though it is using insecure cryptographic
primitives (specifically, MD5). This is a criticism about the *storage
requirements* on the server-side.

If the user database were to be compromised, password recovery is not
sufficiently mitigated because you cannot use proper hashing on the
stored credentials. Industry best practices are currently to use
"salted" and "iterated" hashes of stored credentials, neither of which
can be used with HTTP DIGEST.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]