digested passwords: unable to configure them correctly (Tomcat 9.x)...

[Roberto Simoni]

Hi, I'm trying to configure digested password in an application. Just for
example I was trying with MD5.
First of all:
  * OS: CentOS Linux 7 (Core)
  * Tomcat full version: 9.0.43

I configured the Host in this way:

<Host name="tradx.sixro.io" debug="0" appBase="webapps" unpackWARs="true"
autoDeploy="true">
  <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx"
crossContext="false" reloadable="true">
    <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource"
            maxTotal="10" maxIdle="5" maxWaitMillis="5000"
            username="myusr" password="mypwd"
driverClassName="org.mariadb.jdbc.Driver"
            url="jdbc:mariadb://localhost:3306/mydb"/>

    <Realm resourceName="DbRealm"
className="org.apache.catalina.realm.DataSourceRealm"
            dataSourceName="jdbc/mydb" localDataSource="true"
            userTable="USERS" userNameCol="USER_NAME" userCredCol="PASSWORD"
            userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" debug="99">
      <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" ></CredentialHandler>
    </Realm>

     <Valve className="org.apache.catalina.valves.AccessLogValve"
                 directory="/home/sixroio/sixro.io/tomcat/logs"
                 prefix="tradx.sixro.io_log." suffix=".txt"
                 pattern="common" resolveHosts="false"/>
  </Context>
</Host>

The authentication fails. For testing purposes I created a username usr
with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b

Enabling details in logs I found these rows:
19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /
19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.authenticate Digest :
3038dd372061bee3cfa5e1a510bea637 Username:usr
ClientDigest:3038dd372061bee3cfa5e1a510bea637
nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
cnonce:c5513c3d36b6b643 qop:auth
realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
digest:a66b50234577cb13076d3a117102c955
19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test

but I can't understand the debug message in the last but not least row.
Just to exclude other errors I tried commenting the CredentialHandler and I
can login if I try with usr / c4ca4238a0b923820dcc509a6f75849b

I don't catch what I made wrong.
Can you help me?

Regards
  R

P.S.  I tried also to put the jdbc config in global just for test putting
localDataSource to false (just for test), but it didn't work either