Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat 6.0.26: Manager with DIGEST authentication

 
Brian Pendell
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For my own growth, I am attempting a very simple exercise: To implement digest authentication for tomcat's manager app, the better to apply the lessons to production code.

So I have modified the server set up as follows:

server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="md5" />


I then modify manager's web.xml as follows:

<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>TESTING</realm-name>
<!-- <realm-name>Tomcat Manager Application</realm-name> -->
</login-config>

Next, I generate an MD5 password of the following form:

C:\apache-tomcat-6.0.26\bin>digest -a MD5 pendell:TESTING:password
pendell:TESTING:password:3e62d753e47e1278a74c0d7565dbb254

and plug it into tomcat-users.xml as follows:

<role rolename="manager"/>
<user username="pendell" password="3e62d753e47e1278a74c0d7565dbb254" roles="manager"/>

This doesn't work. I get an error 401 -- invalid access -- when I attempt to log onto the page.

I must be doing something wrong, but internet research has failed to turn up the answer.

Again, I am using apache 6.0.26. Is this a known issue? Does the problem go away in version 7?

Respectfully,

Brian P.
 
Tim Moores
Bartender
Posts: 2743
37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the browser support DIGEST authentication? Is it sending a DIGEST authentication header wit the correct password hash?

Something like the Firefox extension LiveHTTPHeaders can help you with debugging that.
 
Brian Pendell
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:Does the browser support DIGEST authentication? Is it sending a DIGEST authentication header wit the correct password hash?

Something like the Firefox extension LiveHTTPHeaders can help you with debugging that.


I'll find out. I'm using IE 8.0.6001.18702 and Firefox 3.6.23. I can't imagine them *not* supporting DIGEST authentication but I suppose it's not impossible.

Respectfully,

Brian P.
 
Brian Pendell
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, that was part of the answer. But we're not out of the woods yet.

Live Headers showed the following:


Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="Tomcat Manager Application"


To which I replied: "But I changed the name of the realm..."

Well, a bit of industrious grepping revealed that this is also referenced in managers 401.jsp file thus:


response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");


So I could modify the server.xml and web.xml file forever and it would do no good. I also had to correct that as well.

I did so, changing 401.jsp to

response.setHeader("WWW-Authenticate", "DIGEST realm=\"TESTING\"");


This resulted in the following header going across:


Authorization: Digest username="pendell", realm="TESTING", nonce="", uri="/manager/html", response="6a453b0f0dbc4f0351b225e0e2aa4add"


So we are now doing DIGEST authorization, but the hash response sent is not the hash stored in the file.

Deciding to be tricky, I grabbed the "response" above and pasted it directly into tomcat-users as follows:

<user username="pendell" password="6a453b0f0dbc4f0351b225e0e2aa4add" roles="manager"/>

On the assumption that if the response matched the hash in the password table, I would be able to get through. But that didn't work either -- still getting denied access.

Respectfully,

Brian P.
 
Tim Moores
Bartender
Posts: 2743
37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The hash the browser sends isn't just of the password: http://en.wikipedia.org/wiki/Digest_access_authentication
 
Brian Pendell
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Got it to work. First, I restored the password in tomcat-users.xml back to its original state.

Next, I went into manager's web.xml file and commented out the error page entry thus:

<!-- <error-page>
<error-code>401</error-code>
<location>/401.jsp</location>
</error-page> -->


And now it works! Somehow the .JSP which processes error 401 was changing the response in some way such that the authentication wouldn't work. It was obvious what the problem was when
it was forcing the system to use Basic authentication , but I don't understand why it would continue to fail when I had modified the 401.jsp to use digest authentication.

Respectfully,

Brian P.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic