• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

DIGEST authentication for Tomcat 6.0.26

For my own growth, I am attempting a very simple exercise: To implement digest authentication for tomcat's manager app, the better to apply the lessons to production code.

So I have modified the server set up as follows:

server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="md5" />


I then modify manager's web.xml as follows:

<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>TESTING</realm-name>
<!-- <realm-name>Tomcat Manager Application</realm-name> -->
</login-config>

Next, I generate an MD5 password of the following form:

C:\apache-tomcat-6.0.26\bin>digest -a MD5 pendell:TESTING:password
pendell:TESTING:password:3e62d753e47e1278a74c0d7565dbb254

and plug it into tomcat-users.xml as follows:

<role rolename="manager"/>
<user username="pendell" password="3e62d753e47e1278a74c0d7565dbb254" roles="manager"/>

This doesn't work. I get an error 401 -- invalid access -- when I attempt to log onto the page.

I must be doing something wrong, but internet research has failed to turn up the answer.

Again, I am using apache 6.0.26. Is this a known issue? Does the problem go away in version 7?

Respectfully,

Brian P.
0
pendell2
Asked:
pendell2
  • 4
  • 3
1 Solution
 
CEHJCommented:
>>
If you wish to use the Manager Application to deploy and undeploy applications in a running Tomcat installation, you MUST add the "manager-gui" role to at least one username in your selected Realm implementation.
>>

Did you do that?
0
 
pendell2Author Commented:
I don't think that particular line applies to my version of tomcat. While I did not do so, I did assign someone to the "manager" role as specified in the documentation of my specific version of Tomcat. I was able to use the tomcat manager web application with that name and role using basic authentication before I attempted to upgrade it to digest authentication.  

Respectfully,

Brian P.
0
 
CEHJCommented:
OK. Come to think of it, that could just be Tomcat 7
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
CEHJCommented:
I can't help you at the moment, but as it happens i was planning to look into these issues around now, so i might be in a better position in a few days.

However, i'm fairly certain that i'll be studying jdbc realms as they are of professional grade
0
 
pendell2Author Commented:
Well, I was able to solve the problem with some help from JavaRanch and from the 'live HTTP Headers' Firefox add-on.

It turns out my implementation was correct -- the error is specific to the tomcat manager application.

The manager application implements a 401.jsp file which is called whenever an authentication error occurs.   And that 401.jsp included this interesting code snippet:

<%
  response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
%>

In other words, manager forced me into BASIC authentication whenever a 401 was returned, and of course returning 401 is part of the authentication process in the first place!

Deleting that snippet resulted in digest authentication being used, and I was able to log into the manager using the digest authentication I had specified in web.xml, server.xml, and tomcat-users.xml.

Respectfully,

Brian P.
0
 
pendell2Author Commented:
I was able to solve the problem with help, but since I asked the question I felt I owed it to experts-exchange to post the answer.
0
 
CEHJCommented:
Interesting - well done
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now