-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Philippe,
On 11/5/17 3:16 PM, Philippe Mouawad wrote: > Hello, I am having issues making Digest auth work in Tomcat 8.5.23 > for manager application. I'm curious... why bother with HTTP DIGEST authentication when TLS just so much better? > I have done the following: > > 1) Edit server.xml and have set MessageDigestCredentialHandler with > SHA-256 <Realm className="org.apache.catalina.realm.LockOutRealm"> > <!-- This Realm uses the UserDatabase configured in the global > JNDI resources under the key "UserDatabase". Any edits that are > performed against this UserDatabase are immediately available for > use by the Realm. --> <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="*UserDatabase*"> <CredentialHandler > className="org.apache.catalina.realm. > MessageDigestCredentialHandler" algorithm="*SHA-256*" /> </Realm> > </Realm> Tomcat docs[1] say specifically what you need to do. > 2) Generated password using: ./digest.sh -a *SHA-256* -h > org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0 > password1234 This is not correct (incorrect algorithm, incorrect input). > I also tried : ./digest.sh -a SHA-256 -h > org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s 0 > tomcat:UserDatabase:password1234 This is not correct (incorrect algorithm). > 3) Set the last part of password following "password1234:" in > tomcat-users.xml <role rolename="manager-gui"/> <role > rolename="admin"/> <role rolename="manager"/> <user > username="tomcat" password="b9c950640e1b3740e98acb93e669c6 > 5766f6670dd1609ba91ff41052ba48c6f3" > roles="manager-gui,admin,manager"/> > > 4) Edit /webapps/manager/WEB-INF/web.xml > > <login-config> <auth-method>DIGEST</auth-method> > <realm-name>UserDatabase</realm-name> </login-config> > > I then try to login to http://localhost:8080/manager/html and enter > admin and password1234 it fails. > > There must be something I am missing. Try this: $ ./digest.sh -a MD5 -h org.apache.catalina.realm.MessageDigestCredentialHandler \ -i 1 -s 0 tomcat:UserDatabase:password1234 ... and put the result of that into your tomcat-users.xml file. > Sorry if I misread some documentation or if my question is stupid, > these are the docs I have seen: - > https://tomcat.apache.org/tomcat-8.5-doc/config/credentialhandler.html # > > MessageDigestCredentialHandler Note the start of this part is not that > clear for me. I think my format is > *salt$iterationCount$encodedCredential* - a hex encoded salt, > iteration code and a hex encoded credential, each separated by $ > > I have also tried solutions described here without success: - > http://www.techpaste.com/2013/05/enable-password-encryption- > policy-tomcat-7/ - > https://stackoverflow.com/questions/39967289/how-to-use- > digest-authentication-in-tomcat-8-5 - > https://stackoverflow.com/questions/2978884/tomcat- > digest-with-manager-webapp HTTP DIGEST simply requires the use of MD5 and prohibits the use of any password-strengthening strategies. You are better off using TLS + HTTP BASIC in almost every case. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln/9p8dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiZwRAAvWpovPI8jYk9bcnP CsGgqeLDwcRJ4rNUJzC7n1dtwy4OCFMEkJJnuuiOy3ml6rSGuRUjflFy3MUE9D/4 O+r9KOblYi9Cj7ft/U39hG9T5XRiAF+pFTli4OPaylI/h1TNOPIBcegFMOw3Qx+h jeD3ZqGVNi7HRjXiDVtSgebFStsfOVbvte0J/r5IOclvvOxZ9Cd5IJy6sM8kO9v4 av5Kl4qVQvw5CBWw3RXYd4uFJ10r76L8CHy07d3sDznXL7HQGjVeN1NlZIRAq0bS 6MmxEg5xvGhWIK+y60cpF0QGb/wXcRhHb8Q3denWJhEIRQLA3cS7331QEad5ZoNq C6riGtncH7hPbd9M+55C/nAIOUFraQGRShNBsVkmrFnr8rVChMKnol/cCJZBEGR5 aePN8DBkpESopqCP4IgyIR3b5XMQ2BRxQkhOpdbGCkg7iUD6JIiUknaWoj2eF04I C6iyAYMfRfeXEd+fpMXQQ0ep+4ZXI4MCiTS/xdo3CF04Iy3RpEZFc6Jfmoq8+lPj H2+U8Su8u/iGs7MvcGvwBN3Jp/9basBMVU9lhrpEqJjfxt9V0UOkwSwmcc/0Qgy9 f7W95ZByovovGdfMQLHI3CN0kXO82DGRihIbfB4YiTELtO7PQdruC9cyx1Ud1KN2 GYXwbMzhMMNWhVhu4hN6tsgV59E= =6ORl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org