Mark,
On 11/17/23 03:55, Mark Thomas wrote:
On 16/11/2023 18:06, Peter Otto wrote:
1. Configure BASIC auth with clear-text passwords in the Realm and
get
that working.
2. Switch to DIGEST auth with clear-text passwords in the Realm
and get
that working.
3. Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,
Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested
password, which means the text password in tomcat-users.xml. In past
versions of Tomcat, the clear text password would work.
Testing with the manager application.
Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>
Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>
Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5
digest (rather than default of SHA-256)
<Context ...>
...
<Valve
className="org.apache.catalina.authenticator.DigestAuthenticator"
algorithms="MD5"
/>
</Context>
Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5"
/>
</Realm>
Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0"
roles="manager-gui"/>
As expected, this works. I will note it took me a couple of attempts to
get right as I had some typos in my configuration.
If you use the default digest of SHA-256 then you don't need to
configure the DigestAuthenticator in the content.xml file.
If you want to default to SHA-256 but fall back to MD5 for clients that
don't support DIGEST auth with SHA-256 then you need to next two realms
in the LockOut realm.
s/next/nest/
One you configure all you users with MD5 passwords
and MD5 credential handler. The other you configure all your users with
SHA256 passwords and a SHA256 credential handler. i.e. you have two
Realms that duplicate the user names but use different digests to
calculate the passwords.
Peter, while this is entirely technically possible, it's pointless: the
purpose in hashing passwords is to protect the stored credentials from
being compromised by either the stewards of those credentials (the
system administrators) or by some third-party adversary. If you have
both MD5 and SHA-256 hashes available on the server, an adversary will
ignore the SHA-256 hashes and use the MD5 hashes instead.
So if you can guarantee that all your clients support SHA-256, then
that's what you should use. Otherwise, you will be stuck with MD5
forever, anyway, so you may as well have a less needlessly-complicated
configuration.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org