[jdev] sasl help
jacwright at gmail.com
Tue Oct 23 09:55:43 CDT 2007
On 10/23/07, Dave Cridland <dave at cridland.net> wrote:
> On Tue Oct 23 08:25:59 2007, Jacob Wright wrote:
> > I'm working on the DIGEST-MD5 SASL authentication and feel like I'm
> > doing it
> > perfectly, but my server is telling me I've got an incorrect auth
> > for the
> > right username and password.
> Now you know one of the reasons that the IETF is deprecating it. :-/
Deprecating it! After all this work I've done!? ;) What is going to be the
preferred method in the future?
> var dataStr:String = bytes.readUTFBytes(bytes.bytesAvailable);
> Hmmm... DIGEST-MD5 isn't UTF-8, by default. (It's iso-8859-1, I
> think, due to HTTP-isms in it). This will probably work, though.
> > // transcode the string into an object
> > var data:Object = stringToObject(dataStr);
> What does this actually do?
This takes the comma-delim string and creates a hash object out of it.
> if (data.algorithm)
> > obj.algorithm = data.algorithm;
> It doesn't seem very likely that you want to be messing with
> algorithm. It's not present in RFC2831, after all, and has no effect
> unless you're doing something other than qop=auth.
> obj.nc = "00000001";
> > if (data.qop)
> > obj.qop = "auth";
> qop absent, or qop=auth, are the same thing. You don't need to be
> conditional on whether the remote end gives you a choice. (Unless
> you're trying to do auth-int).
Good to know.
> obj.cnonce = conn.generateId();
> This isn't secure enough, but it should still work, of course.
Again, good to know.
> var a1:String, a2:String;
> > a1 = MD5.hash(obj.username + ":" + obj.realm + ":" + password) +
> > ":" +
> > obj.nonce + ":" + obj.cnonce;
> Ooops - does MD5.hash() return a hex digest or a binary one? You want
> a binary digest here.
AH! That was it! You are the best! I've spent hours on this. Thank you for
your help, seriously.
> var resultStr:String = objectToString(obj);
> And again, what is this doing? Bear in mind that if it's some
> convenient built-in that produces output that's similar to
> DIGEST-MD5's syntax, this may not be quite right.
It is a convenience method. It takes the object I've been putting together
and creates a key="value",key2="value2" string out of it. Is that bad to
quote every value? I noticed in examples that several key-value pairs were
not quoted (e.g. charset, nc, etc.) but thought it didn't matter.
Hope this gives you some pointers, anyway. I'm pretty sure it'll be
> down to the distinction between H() and HEX(H()).
You were right. Thank you thank you again.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev