« Roller's Wiki -... | Main | RE: Who reads them... »
20030215 Saturday February 15, 2003

RE: Which servers support HTTP Digest Authentication I did a bit of digging today to find out which J2EE servers support HTTP Digest Authentication. Here's what I found:

  • Tomcat: Yes. How do I know? My own experience, and this documentation. Why can't they just state this in Tomcat's documentation?
  • JBoss: Yes. How do I know? An earlier comment. Since JBoss can be configured with Tomcat and Jetty, this question is only applicable to those servers. I couldn't find any Jetty documentation indicating support, but I trust the users. Finding any information on JBoss is a real pain in the ass, I hate PDFs.
  • Resin: Yes. This documentation says so. This documentation and finding the answer was the easiest yet. Of course, the manual testing on Tomcat was pretty easy too.
  • Orion: No. How do I know? An e-mail I received from Nicholas Clarke, who tested it on Orion 1.5.2. Here's the message he received: Auto-deploying file:/usr/java/orion/wwwroot/antiaction/ (Assembly had been updated)... Error initializing site Alternative: Digest-Auth not supported Orion/1.5.2 initialized. I couldn't find anything on the Orion site indicating support for the different authentication types. Their documentation on web.xml seems to be a regurgitation of the DTD.
  • WebLogic: No. They've always had excellent documentation, making this a breeze to find.
  • WebSphere: No. How do I know? the 5.0 docs say so. BTW, I had to really dig to even find this documentation. Makes me glad I don't currently develop on WebSphere.
  • Sun ONE: No. Easy to find due to great documentation.
  • JRun: Who knows. I gave up searching for this documentation after 10 minutes. BTW, looking through JRun's technical whitepaper I found that "XDoclet has been tightly integrated into JRun 4." Very cool!

That seems like a waste of a good hour for a feature that no one ever uses. Oh well, at least you've been edumacated. Posted in Java at Feb 15 2003, 12:03:40 PM MST 2 Comments

Comments:

I actually downloaded JRun4 and have it running on my machine. I wanted to see how it is as I too saw it has Struts and XDoclet integration. I am thinking of using either JRun or JBoss for when we eventually outgrow Apache/Tomcat in our work projects.

Posted by dsuspense on February 15, 2003 at 07:52 PM MST #

Just FYI, HTTP Digest authentication is broken under Tomcat, at least since V4. Little evidence that it ever worked. Here are some URLs: http://issues.apache.org/bugzilla/show_bug.cgi?id=9852 http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg79674.html http://www.junlu.com/msg/116673.html You *can* use digests for passwords that are managed by Tomcat Realms. But that's digesting passwords in the tomcat-users.xml file, or in the database managed by a Tomcat realm. HTTP Digest is for encryption a password on the wire. John

Posted by John on May 10, 2005 at 12:24 PM MDT #

Post a Comment:
  • HTML Syntax: Allowed
Click me to subscribe
Matt Raible is a Web Architecture Consultant specializing in open source frameworks.
« May 2012
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

Recent Entries

Tag Cloud

abbie appfuse denver flex grails gwt hibernate jack java jsf linkedin maven myfaces rails roller skiing softwaresummit spring springmvc struts2 tapestry travel vacation webframeworks wicket