Re: CredentialHandler not working for MD5

Fri, 17 Nov 2023 00:57:47 -0800 

On 16/11/2023 18:06, Peter Otto wrote:

   1.  Configure BASIC auth with clear-text passwords in the Realm and get
that working.
   2.  Switch to DIGEST auth with clear-text passwords in the Realm and get
that working.
   3.  Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,

Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested password, 
which means the text password in tomcat-users.xml.   In past versions of 
Tomcat, the clear text password would work.


Testing with the manager application.

Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>

Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>

Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5 digest (rather than default of SHA-256) 
<Context ...>
  ...
  <Valve
    className="org.apache.catalina.authenticator.DigestAuthenticator"
    algorithms="MD5"
    />
</Context>

Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase">
  <CredentialHandler
      className="org.apache.catalina.realm.MessageDigestCredentialHandler"
      algorithm="MD5"
      />
</Realm>

Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0" roles="manager-gui"/>
As expected, this works. I will note it took me a couple of attempts to get right as I had some typos in my configuration.
If you use the default digest of SHA-256 then you don't need to configure the DigestAuthenticator in the content.xml file.
If you want to default to SHA-256 but fall back to MD5 for clients that don't support DIGEST auth with SHA-256 then you need to next two realms in the LockOut realm. One you configure all you users with MD5 passwords and MD5 credential handler. The other you configure all your users with SHA256 passwords and a SHA256 credential handler. i.e. you have two Realms that duplicate the user names but use different digests to calculate the passwords. 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to