PDA

View Full Version : Tomcat digest authentication


pendell
2011-10-07, 10:44 AM
For my own growth, I am attempting a very simple exercise: To implement digest authentication for tomcat's manager app, the better to apply the lessons to production code.

So I have modified the server set up as follows:

server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="md5" />


I then modify manager's web.xml as follows:

<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>TESTING</realm-name>
<!-- <realm-name>Tomcat Manager Application</realm-name> -->
</login-config>

Next, I generate an MD5 password of the following form:

C:\apache-tomcat-6.0.26\bin>digest -a MD5 pendell:TESTING:password
pendell:TESTING:password:3e62d753e47e1278a74c0d756 5dbb254

and plug it into tomcat-users.xml as follows:

<role rolename="manager"/>
<user username="pendell" password="3e62d753e47e1278a74c0d7565dbb254" roles="manager"/>

This doesn't work. I get an error 401 -- invalid access -- when I attempt to log onto the page.

I must be doing something wrong, but internet research has failed to turn up the answer.

Again, I am using apache 6.0.26. Is this a known issue? Does the problem go away in version 7?

Respectfully,

Brian P.
Telonius
2011-10-07, 11:56 AM
... for a second I thought this was going to be about a cat eating your ID card. Can't help with the computer stuff, good luck with it!
pendell
2011-10-07, 01:33 PM
... for a second I thought this was going to be about a cat eating your ID card. Can't help with the computer stuff, good luck with it!

In point of fact, I did solve the problem. I'll put it in spoilers in case anyone else wants to download tomcat and attempt the same, as an exercise



the manager app has a special file called 401.jsp which is used during authentication failure. It had a line (rewritten so I won't break the board filter):

< %
response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
% >

So I would always be forced to use basic authentication. It didn't matter what changes I made to the rest of the server. This line forced me into basic authentication no matter what else I did. So of course authentication failed.



Respectfully,

Brian P.
Mando Knight
2011-10-09, 12:22 PM
... for a second I thought this was going to be about a cat eating your ID card.

Not a swing-wing fighter jet requesting confirmation of orders to devour everything? :smallfrown:

:smalltongue: