GeeCON Prague 2014*
The moose likes Tomcat and the fly likes Tomcat 6.0.26: Manager with DIGEST authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat 6.0.26: Manager with DIGEST authentication" Watch "Tomcat 6.0.26: Manager with DIGEST authentication" New topic
Author

Tomcat 6.0.26: Manager with DIGEST authentication

Brian Pendell
Greenhorn

Joined: Oct 07, 2011
Posts: 9
For my own growth, I am attempting a very simple exercise: To implement digest authentication for tomcat's manager app, the better to apply the lessons to production code.

So I have modified the server set up as follows:

server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="md5" />


I then modify manager's web.xml as follows:

<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>TESTING</realm-name>
<!-- <realm-name>Tomcat Manager Application</realm-name> -->
</login-config>

Next, I generate an MD5 password of the following form:

C:\apache-tomcat-6.0.26\bin>digest -a MD5 pendell:TESTING:password
pendell:TESTING:password:3e62d753e47e1278a74c0d7565dbb254

and plug it into tomcat-users.xml as follows:

<role rolename="manager"/>
<user username="pendell" password="3e62d753e47e1278a74c0d7565dbb254" roles="manager"/>

This doesn't work. I get an error 401 -- invalid access -- when I attempt to log onto the page.

I must be doing something wrong, but internet research has failed to turn up the answer.

Again, I am using apache 6.0.26. Is this a known issue? Does the problem go away in version 7?

Respectfully,

Brian P.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Does the browser support DIGEST authentication? Is it sending a DIGEST authentication header wit the correct password hash?

Something like the Firefox extension LiveHTTPHeaders can help you with debugging that.
Brian Pendell
Greenhorn

Joined: Oct 07, 2011
Posts: 9
Tim Moores wrote:Does the browser support DIGEST authentication? Is it sending a DIGEST authentication header wit the correct password hash?

Something like the Firefox extension LiveHTTPHeaders can help you with debugging that.


I'll find out. I'm using IE 8.0.6001.18702 and Firefox 3.6.23. I can't imagine them *not* supporting DIGEST authentication but I suppose it's not impossible.

Respectfully,

Brian P.
Brian Pendell
Greenhorn

Joined: Oct 07, 2011
Posts: 9
Okay, that was part of the answer. But we're not out of the woods yet.

Live Headers showed the following:


Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="Tomcat Manager Application"


To which I replied: "But I changed the name of the realm..."

Well, a bit of industrious grepping revealed that this is also referenced in managers 401.jsp file thus:


response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");


So I could modify the server.xml and web.xml file forever and it would do no good. I also had to correct that as well.

I did so, changing 401.jsp to

response.setHeader("WWW-Authenticate", "DIGEST realm=\"TESTING\"");


This resulted in the following header going across:


Authorization: Digest username="pendell", realm="TESTING", nonce="", uri="/manager/html", response="6a453b0f0dbc4f0351b225e0e2aa4add"


So we are now doing DIGEST authorization, but the hash response sent is not the hash stored in the file.

Deciding to be tricky, I grabbed the "response" above and pasted it directly into tomcat-users as follows:

<user username="pendell" password="6a453b0f0dbc4f0351b225e0e2aa4add" roles="manager"/>

On the assumption that if the response matched the hash in the password table, I would be able to get through. But that didn't work either -- still getting denied access.

Respectfully,

Brian P.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The hash the browser sends isn't just of the password: http://en.wikipedia.org/wiki/Digest_access_authentication
Brian Pendell
Greenhorn

Joined: Oct 07, 2011
Posts: 9
Got it to work. First, I restored the password in tomcat-users.xml back to its original state.

Next, I went into manager's web.xml file and commented out the error page entry thus:

<!-- <error-page>
<error-code>401</error-code>
<location>/401.jsp</location>
</error-page> -->


And now it works! Somehow the .JSP which processes error 401 was changing the response in some way such that the authentication wouldn't work. It was obvious what the problem was when
it was forcing the system to use Basic authentication , but I don't understand why it would continue to fail when I had modified the 401.jsp to use digest authentication.

Respectfully,

Brian P.
 
GeeCON Prague 2014
 
subject: Tomcat 6.0.26: Manager with DIGEST authentication