Tomcat 8.5 digested authentication

1
votes

I'm trying to setup digested authentication on Tomcat 8.5 on CentOS 7. I've looked/followed various articles including - How to use digest authentication in Tomcat 8.5? - but after following all the required steps it's not working. I've set this up for the manager and host-manager apps but the password is never excepted and the localhost_access log reports a 401 error. Access to these apps was working using Basic authentication.

My server.xml is configured as so:

    <!-- Use the LockOutRealm to prevent attempts to guess user     passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
           <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
         </Realm>
   </Realm>

web.xml for each app has been edited as so:

     <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

The password was created by:

    /opt/tomcat/bin/digest.sh -s 0 -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler "username":UserDatabase:"password"

The password in tomcat-user.xml has been replaced with this.

I've also checked in server.xml that the "name" in following section matches that as defined in the lockoutrealm section of server.xml and web.xml

     <Resource
auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"  #<--------------NOTE
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>

I've also restarted the tomcat service after these changes, I evn restarted the server - clutching at straws.....

When I try and log through a browser I keep getting re-prompted as below, if I cancel I get the standard 401 error screen

Browser login box

I know I must have missed something but I've been at this for a while now and just can't see what it is.

1
tomcatauthentication

1 Answers

1
votes

I'm having the same issue, running on MacOS High Sierra. (I'm eventually going to deploy to CentOS 7.) The short version, use MD5 instead of SHA. I could get digest with MD5 to work, as vaguely described at https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#Digested_Passwords as follows:

1) First, the <realm-name> as defined in your web.xml file is arbitrary; it's an independent construct from the defined in the server.xml file. However, you'll need to know it.

2) obviously, set the "algorithm=md5" attribute in the <CredentialHandler> element in server.xml in the <Realm>

3) when running digest.sh for MD5, you must specify "-a md5 -s 0 -i 1".

4) the "password" that gets hashed via the digest command must be a concatenation of userid:realm-name:password. This uses the <realm-name> value from your web.xml.

I've tried the above steps with SHA-256, with no luck. My best guess is that the "provider defaults" used at the command line are different than what is used internally, and aren't documented. This is the case with MD5 hash, where the Tomcat docs explicitly state using the "-s 0" flag, which isn't the default.