On 16/11/2023 18:06, Peter Otto wrote:
1. Configure BASIC auth with clear-text passwords in the Realm and get
that working.
2. Switch to DIGEST auth with clear-text passwords in the Realm and get
that working.
3. Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,
Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested password,
which means the text password in tomcat-users.xml. In past versions of
Tomcat, the clear text password would work.
Testing with the manager application.
Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>
Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>
Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5
digest (rather than default of SHA-256)
<Context ...>
...
<Valve
className="org.apache.catalina.authenticator.DigestAuthenticator"
algorithms="MD5"
/>
</Context>
Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5"
/>
</Realm>
Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0"
roles="manager-gui"/>
As expected, this works. I will note it took me a couple of attempts to
get right as I had some typos in my configuration.
If you use the default digest of SHA-256 then you don't need to
configure the DigestAuthenticator in the content.xml file.
If you want to default to SHA-256 but fall back to MD5 for clients that
don't support DIGEST auth with SHA-256 then you need to next two realms
in the LockOut realm. One you configure all you users with MD5 passwords
and MD5 credential handler. The other you configure all your users with
SHA256 passwords and a SHA256 credential handler. i.e. you have two
Realms that duplicate the user names but use different digests to
calculate the passwords.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org