Return-Path: 
 <dev-return-124227-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BC85A96DC
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Mon, 30 Jan 2012 09:50:51 +0000 (UTC)
Received: (qmail 54317 invoked by uid 500); 30 Jan 2012 09:50:49 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 53629 invoked by uid 500); 30 Jan 2012 09:50:33 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 53620 invoked by uid 99); 30 Jan 2012 09:50:28 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jan 2012 09:50:28 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jan 2012 09:50:25 +0000
Received: by eir.zones.apache.org (Postfix, from userid 80)
	id 5B1AE4FFEB; Mon, 30 Jan 2012 09:50:05 +0000 (UTC)
From: bugzilla@apache.org
To: dev@tomcat.apache.org
Subject: DO NOT REPLY [Bug 52557] New: DIGEST AUTH is broken
Date: Mon, 30 Jan 2012 09:50:01 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Tomcat 6
X-Bugzilla-Component: Catalina
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: regression
X-Bugzilla-Who: savar@schuldeigen.de
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: dev@tomcat.apache.org
X-Bugzilla-Target-Milestone: default
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-52557-78@https.issues.apache.org/bugzilla/>
X-Bugzilla-URL: https://issues.apache.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0

https://issues.apache.org/bugzilla/show_bug.cgi?id=52557

             Bug #: 52557
           Summary: DIGEST AUTH is broken
           Product: Tomcat 6
           Version: 6.0.33
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: savar@schuldeigen.de
    Classification: Unclassified


Hi,

we have some weird issues since we tried to switch from tomcat 6.0.32 to
6.0.35.
We're using authentication with DIGEST and we saw a big rewrite in 6.0.33 and
the
rewrite was necessary (like said in the changelog) because of the DIGEST didn't
really worked.

When we're trying to enable 6.0.35 there are some clients haven't any problem
and
some clients have periodical issues (20 to 80% fails, depending on client or
location, so locally accessed or via the network). "curl" is one of them and so
maybe most
of the clients using libcurl or whatever.

Because of the fact that as quicker the requests will be send (while loop) the
more errors
occur so maybe a time issue (timestamp in the nonce maybe?).


System in use:

  production systems:
    Server side:
     - JAVA:
        java -version
        java version "1.6.0_24"
        Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
        Java HotSpot(TM) Server VM (build 19.1-b02, mixed mode)
     - Kernel:
        2.6.35 (self compiled)

    Client side (for curl tests):
     - same like on server (test worked also on server side with using
localhost)

  local system for testing with vanilla stuff:
     - JAVA:
        java -version
        java version "1.6.0_26"
        Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
        Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
     - Kernel:
        3.1.0-1-amd64 (Debian Testing)



What we see:

  curl to an DIGEST authentication secured page gives normal 401 response with
  WWW-Authenticate in it and the second request gives a 200 OK. But the
directly
  next request fails with a 401 also on the second response.

How to reproduce:

  Download the tomcat 6.0.35 package from
 
http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.35/src/apache-tomcat-6.0.35-src.tar.gz
  and extract it to somewhere.
  Use the patches below to enable DIGEST for the
http://localhost:8080/manager/html site
  and execute multiple times (in a while loop maybe with a sleep of 0.2):

  curl localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null

  When i test it with:

  while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null  |egrep "(HTTP|Auth)"| grep 200; sleep 1; done

  there are no errors but with

  while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null  |egrep "(HTTP|Auth)"| grep 200; sleep 0.5; done

  there are sometimes errors and with a sleep of 0.1 there are many many
errors.

################################ PATCHES ##################################

=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u conf/server.xml
output/build/conf/server.xml
--- conf/server.xml     2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/server.xml        2012-01-26 14:05:25.000000000 +0100
@@ -120,7 +120,8 @@
            that are performed against this UserDatabase are immediately
            available for use by the Realm.  -->
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
+             resourceName="UserDatabase"
+             digest="MD5" />

       <!-- Define the default virtual host
            Note: XML Schema validation will not work with Xerces 2.2.
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
conf/tomcat-users.xml output/build/conf/tomcat-users.xml
--- conf/tomcat-users.xml       2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/tomcat-users.xml  2012-01-26 14:06:12.000000000 +0100
@@ -26,6 +26,8 @@
   and thus are ignored when reading this file. Do not forget to remove
   <!.. ..> that surrounds them.
 -->
+  <role rolename="manager"/>
+  <user username="test" password="8d6db5856fdcd4d166914bfda9ffda86"
roles="manager"/>
 <!--
   <role rolename="tomcat"/>
   <role rolename="role1"/>
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
webapps/manager/WEB-INF/web.xml output/build/webapps/manager/WEB-INF/web.xml
--- webapps/manager/WEB-INF/web.xml     2011-11-28 11:22:46.000000000 +0100
+++ output/build/webapps/manager/WEB-INF/web.xml        2012-01-26
14:06:01.000000000 +0100
@@ -248,8 +248,8 @@

   <!-- Define the Login Configuration for this Application -->
   <login-config>
-    <auth-method>BASIC</auth-method>
-    <realm-name>Tomcat Manager Application</realm-name>
+    <auth-method>DIGEST</auth-method>
+    <realm-name>Tomcat Manager Application TEST</realm-name>
   </login-config>

   <!-- Security roles referenced by this web application -->
@@ -284,6 +284,7 @@
     <role-name>manager</role-name>
   </security-role>

+<!--
   <error-page>
     <error-code>401</error-code>
     <location>/401.jsp</location>
@@ -292,5 +293,5 @@
     <error-code>403</error-code>
     <location>/403.jsp</location>
   </error-page>
-
+-->
 </web-app>
=============================================

################################ HOW THE PASSWORD STUFF WAS GENERATED
##################################

$ ./bin/digest.sh -a MD5 "test:Tomcat Manager Application TEST:test"
test:Tomcat Manager Application TEST:test:8d6db5856fdcd4d166914bfda9ffda86


################################ EXAMPLE OUTPUT
##################################

############# First run ###########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
*   Trying ::1...   % Total    % Received % Xferd  Average Speed   Time    Time
    Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
* Ignoring the response-body
{ [data not shown]
100   954  100   954    0     0   310k      0 --:--:-- --:--:-- --:--:--  465k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application TEST", nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c", uri="/manager/html", cnonce="Mjc3NDU2", nc=00000001, qop="auth", response="eb67cc859946b8c5ad37222be0cd8ab4", opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Set-Cookie: JSESSIONID=F04781AE79D6D5F4B8F4C989E1B53F74; Path=/manager;
HttpOnly
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
{ [data not shown]
1661   954  1661 15851    0     0  1802k      0 --:--:-- --:--:-- --:--:--
1802k
* Connection #0 to host localhost left intact
* Closing connection #0





############# Second run directly after the first one ##########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
*   Trying ::1...   % Total    % Received % Xferd  Average Speed   Time    Time
    Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
* Ignoring the response-body
{ [data not shown]
100   954  100   954    0     0   416k      0 --:--:-- --:--:-- --:--:--  931k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application TEST", nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b", uri="/manager/html", cnonce="Mjc3NDk1", nc=00000001, qop="auth", response="62e4ddfadda157b2f4460431ebaa4e20", opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498776:6eccf77a482bee58433632f82e8ba695",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
{ [data not shown]
100   954  100   954    0     0   267k      0 --:--:-- --:--:-- --:--:--  267k
* Connection #0 to host localhost left intact
* Closing connection #0

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org