Mark,
On 11/17/23 03:55, Mark Thomas wrote:
On 16/11/2023 18:06, Peter Otto wrote:
1. Configure BASIC auth with clear-text passwords in the Realm and
get
that working.
2. Switch to DIGEST auth with clear-text passwords in the Realm
and get
that working.
3. Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,
Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested
password, which means the text password in tomcat-users.xml. In past
versions of Tomcat, the clear text password would work.
Testing with the manager application.
Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>
Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>
Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5
digest (rather than default of SHA-256)
<Context ...>
...
<Valve
className="org.apache.catalina.authenticator.DigestAuthenticator"
algorithms="MD5"
/>
</Context>
Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5"
/>
</Realm>
Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0"
roles="manager-gui"/>
As expected, this works. I will note it took me a couple of attempts to
get right as I had some typos in my configuration.
If you use the default digest of SHA-256 then you don't need to
configure the DigestAuthenticator in the content.xml file.
Is there any reason why SHA-256 is the default? MD5 is the historical
default / only implementation for HTTP DIGEST.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org