2

I am toying with tomcat security for servlets. In my server.xml I have

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="SHA"/>

and in my tomcat-users.xml

<user username="zenon" password="qazxsw" roles="proby"/> <user username="andrzej" password="1c29cf0ceb89afce131e27b76c18af1e9cf7f5e3" roles="admin-gui,manager-gui,proby,role1"/>

web.xml of very simple application

<security-constraint> <display-name>No Pasaran</display-name> <web-resource-collection> <web-resource-name>Tylko dla memberow</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>proby</role-name> <role-name>role1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>UserDatabase</realm-name> </login-config>

so when auth-method is BASIC I can log in with username:andrzej and password:qazxsw (this long password of andrzej is SHA of qazxsw) so it seems that now when I send password he already is digesting it before comparing. I think so because when i use DIGEST as auth-method I can't log in, is he digesting password twice before comparing it? If yes is there any other way then https to secure such things on container level?

Improve this question
2
  • Please post your second question as a separate one - they are not related Commented Feb 7, 2012 at 20:53
  • Also a hint - tag your Java-related question with Java tag - it will allow more people to view it Commented Feb 7, 2012 at 21:10

1 Answer 1

Reset to default
3

First of all HTTP DIGEST doesn't use SHA, it uses MD5, unfortunately. You will need to replace SHA with MD5 in both your Realm defined in server.xml and in the command line you use to generate password digests.

Then, as Tomcat documentation suggests in case your realm passwords are digested the ways to generate passwords for BASIC and DIGEST auth mechanisms are different. So you can't possibly use the same password digest to test both BASIC and DIGEST methods.

In case of BASIC you generate password digest with this:

CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {cleartext-password}

and in case of DIGEST it is:

CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {username}:{realm}:{cleartext-password}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I generated new digest for zenon:UserDatabase:qazxsw, put it in my tomcat-users.xml and still I can't log in when I change auth-method to digest.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.