Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
MIME-Version: 1.0
In-Reply-To: <CAH9fUpZs-eq7yLPadRWMJ-h2cPG1ATcTqS0A+SW+qG+60YhP5w@mail.gmail.com>
References: <CAH9fUpbAvUkvCRzZXys-TH_OwM1ikNU-p1pxBQgSFwf6stKBUA@mail.gmail.com>
 <CAH9fUpbxUwE8Jo7GJY-yqAeoxqn4GTGo+Qc3AG9kwtJNyWU8Hw@mail.gmail.com>
 <CAH9fUpZ89bCpB6rpo0z+0rWX9UQmdG6QVGARAXS38Cae1jzFOA@mail.gmail.com>
 <e436f3a9-ce95-3693-3790-25db688e67ec@apache.org> <CAH9fUpZs-eq7yLPadRWMJ-h2cPG1ATcTqS0A+SW+qG+60YhP5w@mail.gmail.com>
From: "Robert J. Carr" <rjcarr@gmail.com>
Date: Fri, 8 Dec 2017 08:40:48 -0800
Message-ID: <CAG_Fk_-wdFqUYWUc6GjruJcEykoJB-e8cvzZJrm2Nks_RfFPEA@mail.gmail.com>
Subject: Re: Configuring DIGEST auth for manager
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary="001a1149af6234606e055fd6db2b"
archived-at: Fri, 08 Dec 2017 16:41:35 -0000

--001a1149af6234606e055fd6db2b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Philippe-

I'm new to the list, and didn't see the previous response either, but I
just did this recently do a similar config so I might have some guidance.

Where you have algorithm=3D"*SHA-256*", for digest.sh too, you shouldn't ne=
ed
the asterisks.  Why are you using those?

> Set the last part of password following "password1234:" in

This should also include the iterations.  It should be something like:

$1$b9c950640e1b3740e98acb93e669c65766f6670dd1609ba91ff41052ba48c6f3

Good luck!

Robert

On Fri, Dec 8, 2017 at 12:59 AM, Philippe Mouawad <
p.mouawad@ubik-ingenierie.com> wrote:
>
> Hi Mark,
> Sorry but I didn't receive the reply otherwise I wouldn't be asking again=
.
> I'll see the archives then.
>
> Thanks
> Regards
>
> On Fri, Dec 8, 2017 at 9:20 AM, Mark Thomas <markt@apache.org> wrote:
>
> > On 07/12/17 21:24, Philippe Mouawad wrote:
> > > Hello,
> > > Last ping hoping to get some help.
> >
> > If you aren't going to read the replies Chris has already given you to
> > your original question and your subsequent ping there isn't much more w=
e
> > can do to help you.
> >
> > Mark
> >
> >
> > >
> > > Thanks
> > >
> > > On Wed, Nov 8, 2017 at 10:19 PM, Philippe Mouawad <
> > > p.mouawad@ubik-ingenierie.com> wrote:
> > >
> > >> Hello,
> > >> Any feedback on this ?
> > >> Thanks
> > >>
> > >> On Sun, Nov 5, 2017 at 9:16 PM, Philippe Mouawad <
> > >> p.mouawad@ubik-ingenierie.com> wrote:
> > >>
> > >>> Hello,
> > >>> I am having issues making Digest auth work in Tomcat 8.5.23 for
manager
> > >>> application.
> > >>>
> > >>> I have done the following:
> > >>>
> > >>> 1) Edit server.xml and have set MessageDigestCredentialHandler with
> > >>> SHA-256
> > >>>       <Realm className=3D"org.apache.catalina.realm.LockOutRealm">
> > >>>         <!-- This Realm uses the UserDatabase configured in the
global
> > >>> JNDI
> > >>>              resources under the key "UserDatabase".  Any edits
> > >>>              that are performed against this UserDatabase are
> > immediately
> > >>>              available for use by the Realm.  -->
> > >>>         <Realm
className=3D"org.apache.catalina.realm.UserDatabaseRealm"
> > >>> resourceName=3D"*UserDatabase*">
> > >>>               <CredentialHandler className=3D"org.apache.catalina
> > >>> .realm.MessageDigestCredentialHandler" algorithm=3D"*SHA-256*" />
> > >>>         </Realm>
> > >>>       </Realm>
> > >>>
> > >>> 2) Generated password using:
> > >>> ./digest.sh -a *SHA-256* -h org.apache.catalina.realm.
> > MessageDigestCredentialHandler
> > >>> -i 1 -s 0 password1234
> > >>>
> > >>> I also tried :
> > >>> ./digest.sh -a SHA-256 -h org.apache.catalina.realm.
> > MessageDigestCredentialHandler
> > >>> -i 1 -s 0 tomcat:UserDatabase:password1234
> > >>>
> > >>> 3) Set the last part of password following "password1234:" in
> > >>> tomcat-users.xml
> > >>> <role rolename=3D"manager-gui"/>
> > >>> <role rolename=3D"admin"/>
> > >>> <role rolename=3D"manager"/>
> > >>>     <user username=3D"tomcat" password=3D"b9c950640e1b3740e98a
> > >>> cb93e669c65766f6670dd1609ba91ff41052ba48c6f3"
> > >>> roles=3D"manager-gui,admin,manager"/>
> > >>>
> > >>> 4) Edit /webapps/manager/WEB-INF/web.xml
> > >>>
> > >>> <login-config>
> > >>>     <auth-method>DIGEST</auth-method>
> > >>>     <realm-name>UserDatabase</realm-name>
> > >>>   </login-config>
> > >>>
> > >>> I then try to login to http://localhost:8080/manager/html and enter
> > >>> admin and password1234
> > >>> it fails.
> > >>>
> > >>> There must be something I am missing.
> > >>>
> > >>> Sorry if I misread some documentation or if my question is stupid,
> > these
> > >>> are the docs I have seen:
> > >>> - https://tomcat.apache.org/tomcat-8.5-doc/config/credentialha
> > >>> ndler.html#MessageDigestCredentialHandler Note the start of this
part
> > is
> > >>> not that clear for me. I think my format is
> > >>> *salt$iterationCount$encodedCredential* - a hex encoded salt,
> > iteration
> > >>> code and a hex encoded credential, each separated by $
> > >>>
> > >>> I have also tried solutions described here without success:
> > >>> - http://www.techpaste.com/2013/05/enable-password-encryption-
> > >>> policy-tomcat-7/
> > >>> - https://stackoverflow.com/questions/39967289/how-to-use-dige
> > >>> st-authentication-in-tomcat-8-5
> > >>> - https://stackoverflow.com/questions/2978884/tomcat-digest-wi
> > >>> th-manager-webapp
> > >>>
> > >>> Regards
> > >>> Philippe
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Cordialement.
> > >> Philippe Mouawad.
> > >> Ubik-Ing=C3=A9nierie
> > >>
> > >> UBIK LOAD PACK Web Site <http://www.ubikloadpack.com/>
> > >>
> > >> UBIK LOAD PACK on TWITTER <https://twitter.com/ubikloadpack>
> > >>
> > >>
> > >
> > >
> >
> >
>
>
> --
> Cordialement.
> Philippe Mouawad.
> Ubik-Ing=C3=A9nierie
>
> UBIK LOAD PACK Web Site <http://www.ubikloadpack.com/>
>
> UBIK LOAD PACK on TWITTER <https://twitter.com/ubikloadpack>

--001a1149af6234606e055fd6db2b--