DIGEST authentication for Tomcat 6.0.26

For my own growth, I am attempting a very simple exercise: To implement digest authentication for tomcat's manager app, the better to apply the lessons to production code.

So I have modified the server set up as follows:


<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="md5" />

I then modify manager's web.xml as follows:

<!-- Define the Login Configuration for this Application -->
<!-- <realm-name>Tomcat Manager Application</realm-name> -->

Next, I generate an MD5 password of the following form:

C:\apache-tomcat-6.0.26\bin>digest -a MD5 pendell:TESTING:password

and plug it into tomcat-users.xml as follows:

<role rolename="manager"/>
<user username="pendell" password="3e62d753e47e1278a74c0d7565dbb254" roles="manager"/>

This doesn't work. I get an error 401 -- invalid access -- when I attempt to log onto the page.

I must be doing something wrong, but internet research has failed to turn up the answer.

Again, I am using apache 6.0.26. Is this a known issue? Does the problem go away in version 7?


Brian P.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you wish to use the Manager Application to deploy and undeploy applications in a running Tomcat installation, you MUST add the "manager-gui" role to at least one username in your selected Realm implementation.

Did you do that?
pendell2Author Commented:
I don't think that particular line applies to my version of tomcat. While I did not do so, I did assign someone to the "manager" role as specified in the documentation of my specific version of Tomcat. I was able to use the tomcat manager web application with that name and role using basic authentication before I attempted to upgrade it to digest authentication.  


Brian P.
OK. Come to think of it, that could just be Tomcat 7
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

I can't help you at the moment, but as it happens i was planning to look into these issues around now, so i might be in a better position in a few days.

However, i'm fairly certain that i'll be studying jdbc realms as they are of professional grade
pendell2Author Commented:
Well, I was able to solve the problem with some help from JavaRanch and from the 'live HTTP Headers' Firefox add-on.

It turns out my implementation was correct -- the error is specific to the tomcat manager application.

The manager application implements a 401.jsp file which is called whenever an authentication error occurs.   And that 401.jsp included this interesting code snippet:

  response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");

In other words, manager forced me into BASIC authentication whenever a 401 was returned, and of course returning 401 is part of the authentication process in the first place!

Deleting that snippet resulted in digest authentication being used, and I was able to log into the manager using the digest authentication I had specified in web.xml, server.xml, and tomcat-users.xml.


Brian P.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pendell2Author Commented:
I was able to solve the problem with help, but since I asked the question I felt I owed it to experts-exchange to post the answer.
Interesting - well done
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.