More info….
In the Request Header-> Authorization->Response. Response is used as the
clientDigest. However this response is generated, it is incorrect.
Need to understand where Tomcat generates this Response because it is used for
comparison of the serverDigest. And if the server digest equals the
clientDigest, then it works.
The way I understand it, the clientDigest comes from the client entering in the
username/pwd on the popup box.
From: Peter Otto <pete.o...@arthrex.com>
Date: Monday, November 13, 2023 at 11:05 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Chris,
Running the debugger, I found out the DigestAuthenticator wants to use SHA-256.
8 months ago there was a change for RFC 7616.
https://urldefense.com/v3/__https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$<https://urldefense.com/v3/__https:/github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$>
To bypass the array of digest,
I commented out some code so it was forced to use MD5 only.
But In the RealmBase, I really don’t understand what getDigest is doing.
When I create a MD5 digest, I use Username:Realm:Password.
In the code it is using Nonce, nc, cnonce, gop…..
From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, November 10, 2023 at 1:44 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Peter,
On 11/10/23 16:30, Peter Otto wrote:
With 9.0.82, and the latest version 10, I get the same problem.
So I assume it stopped working since 9.0.74 all the way up to 9.0.82
Removing the Realm LockOutRealm did not work either.
Thanks for double-checking both of those.
I don't see anything in the changelog that seems like it would be
related. Thing I suspect are related were in an earlier release.
Are you able to run under a debugger, and are you comfortable doing
that? It's pretty easy to set a breakpoint in the Realm and/or
CredentialHandler to see what's being done when you try to authenticate.
-chris
From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, November 10, 2023 at 12:35 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Peter,
On 11/10/23 13:27, Peter Otto wrote:
Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
Steps to reproduce.
Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1
tomcat:UserDatabase:nobueno
tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
Step 2. Use the digest # and place it in tomcat-users.xml
<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0"
roles="manager-gui,manager-script"/>
Step 3. Edit server.xml and add the CredentialHandler to use MD5
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" />
</Realm>
</Realm>
Step 4. Edit the web.xml in manager to say
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
Step 5 start tomcat and try to access the manager.
On WIndows 2019 server/Chrome/OpenJDK11 type tomcat for the user
and nobueno for the password.
This would work on versions 9.0.73 and earlier
This stopped working from 9.0.74 and onwards.
The way to access the manager from 9.0.74+ is to use
bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
In other words the text in tomcat-user.xml is the password.
Anyone have any ideas how to fix this? I have to use 9.0.74+ version of tomcat
because of CVEs.
If you temporarily remove the LockOutRealm, does the correct password work?
If you upgrade to 9.0.82, does the correct password work?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc.
and/or its affiliates, are confidential, and are intended solely for the use of
the individual or entity to whom this e-mail is addressed. If you are not one
of the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please notify the sender at 239-643-5553 and
delete this message immediately from your computer. Any other use, retention,
dissemination forwarding, printing or copying of this e-mail is strictly
prohibited. Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of the
company. Finally, while Arthrex uses virus protection, the recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc.
and/or its affiliates, are confidential, and are intended solely for the use of
the individual or entity to whom this e-mail is addressed. If you are not one
of the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please notify the sender at 239-643-5553 and
delete this message immediately from your computer. Any other use, retention,
dissemination forwarding, printing or copying of this e-mail is strictly
prohibited. Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of the
company. Finally, while Arthrex uses virus protection, the recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
This e-mail and any files transmitted with it are the property of Arthrex, Inc.
and/or its affiliates, are confidential, and are intended solely for the use of
the individual or entity to whom this e-mail is addressed. If you are not one
of the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please notify the sender at 239-643-5553 and
delete this message immediately from your computer. Any other use, retention,
dissemination forwarding, printing or copying of this e-mail is strictly
prohibited. Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of the
company. Finally, while Arthrex uses virus protection, the recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
