tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Configuring DIGEST auth for manager
Date Mon, 06 Nov 2017 05:43:59 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Philippe,

On 11/5/17 3:16 PM, Philippe Mouawad wrote:
> Hello, I am having issues making Digest auth work in Tomcat 8.5.23
> for manager application.

I'm curious... why bother with HTTP DIGEST authentication when TLS
just so much better?

> I have done the following:
> 
> 1) Edit server.xml and have set MessageDigestCredentialHandler with
> SHA-256 <Realm className="org.apache.catalina.realm.LockOutRealm"> 
> <!-- This Realm uses the UserDatabase configured in the global
> JNDI resources under the key "UserDatabase".  Any edits that are
> performed against this UserDatabase are immediately available for
> use by the Realm.  --> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="*UserDatabase*"> <CredentialHandler
> className="org.apache.catalina.realm. 
> MessageDigestCredentialHandler" algorithm="*SHA-256*" /> </Realm> 
> </Realm>

Tomcat docs[1] say specifically what you need to do.

> 2) Generated password using: ./digest.sh -a *SHA-256* -h 
> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0
> password1234

This is not correct (incorrect algorithm, incorrect input).

> I also tried : ./digest.sh -a SHA-256 -h 
> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0
> tomcat:UserDatabase:password1234

This is not correct (incorrect algorithm).

> 3) Set the last part of password following "password1234:" in 
> tomcat-users.xml <role rolename="manager-gui"/> <role
> rolename="admin"/> <role rolename="manager"/> <user
> username="tomcat" password="b9c950640e1b3740e98acb93e669c6 
> 5766f6670dd1609ba91ff41052ba48c6f3"
> roles="manager-gui,admin,manager"/>
> 
> 4) Edit /webapps/manager/WEB-INF/web.xml
> 
> <login-config> <auth-method>DIGEST</auth-method> 
> <realm-name>UserDatabase</realm-name> </login-config>
> 
> I then try to login to http://localhost:8080/manager/html and enter
> admin and password1234 it fails.
> 
> There must be something I am missing.

Try this:

$ ./digest.sh -a MD5
  -h org.apache.catalina.realm.MessageDigestCredentialHandler \
  -i 1 -s 0 tomcat:UserDatabase:password1234

... and put the result of that into your tomcat-users.xml file.

> Sorry if I misread some documentation or if my question is stupid,
> these are the docs I have seen: -
> https://tomcat.apache.org/tomcat-8.5-doc/config/credentialhandler.html
#
>
> 
MessageDigestCredentialHandler Note the start of this part is not that
> clear for me. I think my format is
> *salt$iterationCount$encodedCredential* - a hex encoded salt,
> iteration code and a hex encoded credential, each separated by $
> 
> I have also tried solutions described here without success: -
> http://www.techpaste.com/2013/05/enable-password-encryption- 
> policy-tomcat-7/ -
> https://stackoverflow.com/questions/39967289/how-to-use- 
> digest-authentication-in-tomcat-8-5 -
> https://stackoverflow.com/questions/2978884/tomcat- 
> digest-with-manager-webapp

HTTP DIGEST simply requires the use of MD5 and prohibits the use of
any password-strengthening strategies.

You are better off using TLS + HTTP BASIC in almost every case.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln/9p8dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiZwRAAvWpovPI8jYk9bcnP
CsGgqeLDwcRJ4rNUJzC7n1dtwy4OCFMEkJJnuuiOy3ml6rSGuRUjflFy3MUE9D/4
O+r9KOblYi9Cj7ft/U39hG9T5XRiAF+pFTli4OPaylI/h1TNOPIBcegFMOw3Qx+h
jeD3ZqGVNi7HRjXiDVtSgebFStsfOVbvte0J/r5IOclvvOxZ9Cd5IJy6sM8kO9v4
av5Kl4qVQvw5CBWw3RXYd4uFJ10r76L8CHy07d3sDznXL7HQGjVeN1NlZIRAq0bS
6MmxEg5xvGhWIK+y60cpF0QGb/wXcRhHb8Q3denWJhEIRQLA3cS7331QEad5ZoNq
C6riGtncH7hPbd9M+55C/nAIOUFraQGRShNBsVkmrFnr8rVChMKnol/cCJZBEGR5
aePN8DBkpESopqCP4IgyIR3b5XMQ2BRxQkhOpdbGCkg7iUD6JIiUknaWoj2eF04I
C6iyAYMfRfeXEd+fpMXQQ0ep+4ZXI4MCiTS/xdo3CF04Iy3RpEZFc6Jfmoq8+lPj
H2+U8Su8u/iGs7MvcGvwBN3Jp/9basBMVU9lhrpEqJjfxt9V0UOkwSwmcc/0Qgy9
f7W95ZByovovGdfMQLHI3CN0kXO82DGRihIbfB4YiTELtO7PQdruC9cyx1Ud1KN2
GYXwbMzhMMNWhVhu4hN6tsgV59E=
=6ORl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message