On Dec 11, 2008, at 10:20 AM, Gili wrote:
>
> Yay! Six hours later I finally managed to get digest authentication
> working
> in Glassfish :) Clearly, this is problematic.
>
I agree, this could be a lot easier.
> It took me four hours to get http-basic authentication up in
> Glassfish v2
> (due to a stupid typo in my configuration file!). It then took me an
> additional two hours to figure out how to move to http-digest (which
> only
> works in Glassfish v3 by the way!). The Glassfish v3 custom realm
> API is not
> backwards compatible with the v2 version, at least not the digest one.
>
I think some candid and constructive feedback for the Glassfish alias
would be very useful.
> Right now I've got a web browser talking to my authenticated
> resources.
> Tomorrow I plan on trying to get jersey-client to talk to those same
> resources. Do you have any pointers for me?
>
We are attempting to address this by the inclusion of the Client API
utilizing the Apache HTTP client. We have it in the code base but we
are not building it because we need to fix some issues first, it
works, but there are some concurrency issues.
You can do this:
http://blog.taragana.com/index.php/archive/java-tip-basic-authentication-with-httpurlconnection/
but it is a static configuration and i am not sure if it supports
basic and digest or just the former.
The wikipedia articles on basic and digest are a useful read:
http://en.wikipedia.org/wiki/Basic_access_authentication
http://en.wikipedia.org/wiki/Digest_access_authentication
Digest authentication is intended to supersede unencrypted use of
the Basic access authentication, allowing user identity to be
established securely without having to send a password in plaintext
over the network. Digest authentication is basically an application
of MD5 cryptographic hashing with usage of nonce values to prevent
cryptanalysis.
Paul.
> Thanks,
> Gili
>
>
> Gili wrote:
>>
>> Hi,
>>
>> Is it possible to an authentication mechanism for my server-side and
>> client-side components. It's my understanding that HTTP-digest is
>> "good
>> enough" for plain-text authentication and HTTP-basic is good enough
>> over
>> an encrypted wire. Is that correct?
>>
>> Is it possible to provide HTTP-digest authentication without
>> necessarily
>> having to conform to the database schema required by Glassfish's
>> JDBCRealm? Ideally I'd want to implement some interface and read
>> data out
>> of my existing tables (that have a different schema than what they
>> require). I tried defining a custom realm but ran into problems:
>> http://forums.java.net/jive/thread.jspa?threadID=54693&tstart=0
>>
>> I am also concerned about setting up authentication on the client-
>> end. Is
>> there a solid tutorial for getting authentication up and running
>> using
>> Jersey on both ends?
>>
>> Thank you,
>> Gili
>>
>
> --
> View this message in context: http://n2.nabble.com/How-to-implement-custom-authentication--tp1641761p1642483.html
> Sent from the Jersey mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>