Re: CredentialHandler not working for MD5

Fri, 17 Nov 2023 11:37:07 -0800 

Mark,

On 11/17/23 03:55, Mark Thomas wrote:

On 16/11/2023 18:06, Peter Otto wrote:
   1.  Configure BASIC auth with clear-text passwords in the Realm and get 
that working.
   2.  Switch to DIGEST auth with clear-text passwords in the Realm and get 
that working.
   3.  Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,

Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested password, which means the text password in tomcat-users.xml.   In past versions of Tomcat, the clear text password would work. 

Testing with the manager application.

Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>

Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>

Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5 digest (rather than default of SHA-256) 
<Context ...>
   ...
   <Valve
     className="org.apache.catalina.authenticator.DigestAuthenticator"
     algorithms="MD5"
     />
</Context>

Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
        resourceName="UserDatabase">
   <CredentialHandler
       className="org.apache.catalina.realm.MessageDigestCredentialHandler"
       algorithm="MD5"
       />
</Realm>

Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0" roles="manager-gui"/>
As expected, this works. I will note it took me a couple of attempts to get right as I had some typos in my configuration.
If you use the default digest of SHA-256 then you don't need to configure the DigestAuthenticator in the content.xml file.
Is there any reason why SHA-256 is the default? MD5 is the historical default / only implementation for HTTP DIGEST. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to