Postman digest Authorization request return 401 Unauthrized

1
votes

I use Postman 4.4.1 in Chrome 51.0.2704.63.I have set up a web project with Tomcat6, the web.xml like:

<web-app>
    <display-name>Archetype Created Web Application</display-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                My App
            </web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>DIGEST</auth-method>  <!-- DIGEST here -->
        <realm-name>My Realm</realm-name>
    </login-config>
</web-app>

When I access http://localhost:8080/simple-web/ use my local browser, a window pops up to let me input username and password. After fill, it works well. When I use Postman, I input the username and password in Authorization Page, and choose the Type with Digest Auth.It always shows to me 401 Unauthrized. I can see the Headers:

Cache-Control →no-cache
Content-Length →954
Content-Type →text/html;charset=utf-8
Date →Fri, 29 Jul 2016 10:26:20 GMT
Expires →Thu, 01 Jan 1970 08:00:00 CST
Pragma →No-cache
Server →Apache-Coyote/1.1
WWW-Authenticate →Digest realm="My Realm", qop="auth", nonce="dcb71e7d6766f85c3f233b7b74e42423", opaque="4894d1ece1380278a451585e9b548e21"

Can someone knows the reason and how to fix it?

2
postmanhttp-status-code-401digest

2 Answers

0
votes

From the beginning I have used a two step process with Digest Authentication build the request build the request from Firebug and send it and get the 401 copy the nonce and sometimes the opaque into the digest fields and resend for success. Discussions on the forums lead me to believe that it is still an issue. Am using 5.1.2 Windows App. I model my initial request on what I see in Firebug when I paste the url and get back the expected response.

0
votes

Late answer but posting it here as my team struggled with this as well, while it's just a matter of carefully reading the documentation.

According to the Postman documentation,

(..) server responds with a few details, including a number that can be used only once (nonce), a realm value, and a 401 unauthorized response. You then send back an encrypted array of data including username and password combined with the data received from the server in the first request.

As it is already visible in the output you have provided, you are indeed provided with nonce, qop and opaque values. Hence, after the initial request that gets a 401 response, you would create another one, which would be almost the same as the previous one, just with the additional nonce, qop and opaque values set.