Tomcat Digest with Manager WebApp

3
votes

I'm trying to get a digest password setup for the tomcat manager application.

I've got 

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase" digest="MD5"/>

in my tomcat server.xml changed the manager web application's web.xml to use digest and changed the realm name to TESTING: 

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>TESTING</realm-name>
  </login-config>

I then used the included bat file to generate the md5 hash:

C:\tomcat6\bin>digest.bat -a MD5 tomcat:TESTING:testor
tomcat:TESTING:testor:1926e50988667dbd5deda9df02b82f28

I then have a user in tomcat-users.xml with that digested hash as a password:

<!-- testor -->
  <user username="tomcat" password="1926e50988667dbd5deda9df02b82f28" roles="manager"/>

I've also modifed the 401.jsp page to use digest and TESTING as the realm name.

I start up the web app, go to http://localhost:8080/manager/html and am prompted with the standard form. Typing in tomcat as the user, and testor as the password, I hit enter only to get a 401. I of course try again and again get a 401.

I'll probably go with BASIC authentication over SSL in the end since ant can't do digest, as far as I know.

But is there anyway to do this?

5
tomcatmd5digest
may you please accept an answer if your question is solved?!?!KiaMorot

5 Answers

2
votes

I tried out KiaMorot's answer with Tomcat 8.0.32, but it did not work. It did work when I added the option "-s 0" (salt lenth zero) when generating the digested password:

sudo /opt/apache-tomcat-8.0.32/bin/digest.sh -s 0 -a MD5 'developer:UserDatabase:my clear text password'

In this citation of my command I omitted my clear text password and replaced it with the string "my clear text password". Please keep the single quotes, otherwise the shell will interpret special characters in your password.

You can check whether omitting the -s option is your problem as follows. If I do the digest.sh command multiple times without the -s option, I get different results although the command-line of each repetition is the same.

1
votes

The following works for me:

digest.sh -a MD5 tomcat:UserDatabase:testor
1
votes

I believe you are missing the lines in server.xml where you define the name of your resource.

 <Resource
    auth="Container"
    description="User database that can be updated and saved"
    factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
    name="UserDatabase"  #<--------------NOTE
    pathname="conf/tomcat-users.xml"
    type="org.apache.catalina.UserDatabase"/>

The value of attribute name from <Resource> definition has to match with the value of attribute resourceName from your <Realm> definition, e.g.

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
   resourceName="UserDatabase"  #<------------NOTE
   digest="MD5"/>

This has to match with <realm-name> configuration in web.xml, e.g.

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name> #<------------NOTE
</login-config>

And do not forget to generate your password as follows:

C:\tomcat6\bin>digest.bat -a MD5 tomcat:UserDatabase:testor

If all this is fulfilled your setup should work flawlessly as it does in my case.

Note that for tomcat7 and tomcat8 MD5 as digest algorithm is a must.

1
votes

1) Generate password: /bin>digest.bat -s 0 -a sha-256

Example: /bin>digest.bat -s 0 -a sha-256 admin

Password to use is: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

*Important note: You must use “-s 0 “(salt 0) or it won’t work.

2) paste password above into your tomcat-users.xml file.

Example:

<!-- for password “admin” -->
<user username="tomcat" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="manager-gui,manager,admin"></user>

3) configure server.xml to use SHA-256 digest hashed based passwords:

4) configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)

 <catalina_home>/webapps/manager\WEB-INF\web.xml

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>UserDatabase</realm-name> 
    </login-config>

Full context:
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>

… SNIPPED_FOR_BREVITY ...   

    <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

    <multipart-config>
      <!-- 50MB max -->
      <max-file-size>52428800</max-file-size>
      <max-request-size>52428800</max-request-size>
      <file-size-threshold>0</file-size-threshold>
    </multipart-config>
  </servlet>
0
votes

Everything is fine. but what path are you using to update web.xml? It should be /webapps/manager/WEB-INF/web.xml here change the loginconfig.

And make sure what version you are using cause 8.0.26 is not a stable version to generate md5 password.