Return-Path: <users-return-263135-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id BFAED200D44
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  6 Nov 2017 06:44:13 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id BE362160BFE; Mon,  6 Nov 2017 05:44:13 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 0FF30160BE7
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  6 Nov 2017 06:44:12 +0100 (CET)
Received: (qmail 3124 invoked by uid 500); 6 Nov 2017 05:44:11 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 3113 invoked by uid 99); 6 Nov 2017 05:44:11 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Nov 2017 05:44:11 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 729BBEA873
	for <users@tomcat.apache.org>; Mon,  6 Nov 2017 05:44:10 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.999
X-Spam-Level: 
X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001]
	autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id 4bF3VCFlRplp for <users@tomcat.apache.org>;
	Mon,  6 Nov 2017 05:44:07 +0000 (UTC)
Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id D40FC5FB93
	for <users@tomcat.apache.org>; Mon,  6 Nov 2017 05:44:06 +0000 (UTC)
Received: (qmail 13514 invoked by uid 513); 5 Nov 2017 23:43:59 -0600
Received: from pool-173-66-116-184.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@173.66.116.184)
  by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 5 Nov 2017 23:43:59 -0600
Subject: Re: Configuring DIGEST auth for manager
To: users@tomcat.apache.org
References: <CAH9fUpbAvUkvCRzZXys-TH_OwM1ikNU-p1pxBQgSFwf6stKBUA@mail.gmail.com>
From: Christopher Schultz <chris@christopherschultz.net>
Message-ID: <2339f4d3-91fd-3be2-dd18-26e0f626278b@christopherschultz.net>
Date: Mon, 6 Nov 2017 00:43:59 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAH9fUpbAvUkvCRzZXys-TH_OwM1ikNU-p1pxBQgSFwf6stKBUA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
archived-at: Mon, 06 Nov 2017 05:44:13 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Philippe,

On 11/5/17 3:16 PM, Philippe Mouawad wrote:
> Hello, I am having issues making Digest auth work in Tomcat 8.5.23
> for manager application.

I'm curious... why bother with HTTP DIGEST authentication when TLS
just so much better?

> I have done the following:
> 
> 1) Edit server.xml and have set MessageDigestCredentialHandler with
> SHA-256 <Realm className="org.apache.catalina.realm.LockOutRealm"> 
> <!-- This Realm uses the UserDatabase configured in the global
> JNDI resources under the key "UserDatabase".  Any edits that are
> performed against this UserDatabase are immediately available for
> use by the Realm.  --> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="*UserDatabase*"> <CredentialHandler
> className="org.apache.catalina.realm. 
> MessageDigestCredentialHandler" algorithm="*SHA-256*" /> </Realm> 
> </Realm>

Tomcat docs[1] say specifically what you need to do.

> 2) Generated password using: ./digest.sh -a *SHA-256* -h 
> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0
> password1234

This is not correct (incorrect algorithm, incorrect input).

> I also tried : ./digest.sh -a SHA-256 -h 
> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0
> tomcat:UserDatabase:password1234

This is not correct (incorrect algorithm).

> 3) Set the last part of password following "password1234:" in 
> tomcat-users.xml <role rolename="manager-gui"/> <role
> rolename="admin"/> <role rolename="manager"/> <user
> username="tomcat" password="b9c950640e1b3740e98acb93e669c6 
> 5766f6670dd1609ba91ff41052ba48c6f3"
> roles="manager-gui,admin,manager"/>
> 
> 4) Edit /webapps/manager/WEB-INF/web.xml
> 
> <login-config> <auth-method>DIGEST</auth-method> 
> <realm-name>UserDatabase</realm-name> </login-config>
> 
> I then try to login to http://localhost:8080/manager/html and enter
> admin and password1234 it fails.
> 
> There must be something I am missing.

Try this:

$ ./digest.sh -a MD5
  -h org.apache.catalina.realm.MessageDigestCredentialHandler \
  -i 1 -s 0 tomcat:UserDatabase:password1234

... and put the result of that into your tomcat-users.xml file.

> Sorry if I misread some documentation or if my question is stupid,
> these are the docs I have seen: -
> https://tomcat.apache.org/tomcat-8.5-doc/config/credentialhandler.html
#
>
> 
MessageDigestCredentialHandler Note the start of this part is not that
> clear for me. I think my format is
> *salt$iterationCount$encodedCredential* - a hex encoded salt,
> iteration code and a hex encoded credential, each separated by $
> 
> I have also tried solutions described here without success: -
> http://www.techpaste.com/2013/05/enable-password-encryption- 
> policy-tomcat-7/ -
> https://stackoverflow.com/questions/39967289/how-to-use- 
> digest-authentication-in-tomcat-8-5 -
> https://stackoverflow.com/questions/2978884/tomcat- 
> digest-with-manager-webapp

HTTP DIGEST simply requires the use of MD5 and prohibits the use of
any password-strengthening strategies.

You are better off using TLS + HTTP BASIC in almost every case.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln/9p8dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiZwRAAvWpovPI8jYk9bcnP
CsGgqeLDwcRJ4rNUJzC7n1dtwy4OCFMEkJJnuuiOy3ml6rSGuRUjflFy3MUE9D/4
O+r9KOblYi9Cj7ft/U39hG9T5XRiAF+pFTli4OPaylI/h1TNOPIBcegFMOw3Qx+h
jeD3ZqGVNi7HRjXiDVtSgebFStsfOVbvte0J/r5IOclvvOxZ9Cd5IJy6sM8kO9v4
av5Kl4qVQvw5CBWw3RXYd4uFJ10r76L8CHy07d3sDznXL7HQGjVeN1NlZIRAq0bS
6MmxEg5xvGhWIK+y60cpF0QGb/wXcRhHb8Q3denWJhEIRQLA3cS7331QEad5ZoNq
C6riGtncH7hPbd9M+55C/nAIOUFraQGRShNBsVkmrFnr8rVChMKnol/cCJZBEGR5
aePN8DBkpESopqCP4IgyIR3b5XMQ2BRxQkhOpdbGCkg7iUD6JIiUknaWoj2eF04I
C6iyAYMfRfeXEd+fpMXQQ0ep+4ZXI4MCiTS/xdo3CF04Iy3RpEZFc6Jfmoq8+lPj
H2+U8Su8u/iGs7MvcGvwBN3Jp/9basBMVU9lhrpEqJjfxt9V0UOkwSwmcc/0Qgy9
f7W95ZByovovGdfMQLHI3CN0kXO82DGRihIbfB4YiTELtO7PQdruC9cyx1Ud1KN2
GYXwbMzhMMNWhVhu4hN6tsgV59E=
=6ORl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org