Michael,
On 9/30/24 11:41, Michael Osipov wrote:
Chris,
On 2024/09/30 14:33:53 Christopher Schultz wrote:
Michael,
On 9/28/24 13:34, Michael Osipov wrote:
On 2024/09/27 15:14:15 Christopher Schultz wrote:
Sebastian,
On 9/27/24 11:04, Sebastian Trost wrote:
Francesco,
On 26.09.2024 16:12, Francesco Viscomi wrote:
Hi all,
I'm not able to understand why I cannot access to
http://localhost:8080/manager/html
I've configured the user in tomcat.users.xml:
<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="manager-gui"/>
I'm using tomcat 9; and jdk17;
I've also noted that in my personal pc when try to access manager/html a
pop up ask me to login (in my personal pc it works right)
While when I try to use it in the company pc it gives me 401
unauthorized;
I do not know what I have to modify on chrome to get access in manager
app,
I also use in the company pc Zscaler, but I do not know what I have to
change in it (eventually) in order to access the manager app.
Your corporate browser probably has basic authentication disabled. Check
this site: https://jigsaw.w3.org/HTTP/Basic
If there is no basic authentication popup where you can enter username/
password then this is probably the case.
See: https://answers.microsoft.com/en-us/microsoftedge/forum/all/latest-
version-of-edge-no-longer-shows-basic/3601252b-e56b-46c0-a088-0f6084eabe47
I've really had it with Microsoft deciding that HTTP Basic
authentication is just not okay. They seem to have forgotten that TLS
makes it secure.
The reasoning is never to share a long term secret: your password.
HTTP Digest also requires pre-shared passwords.
There is a subtile difference: the password is never transferred over the wire
and does not appear on the target server.
While that may be true, it is irrelevant. The
MD5(username:reaml:password) must be known to the server. That is as
good as the password in terms of security.
The realm name can never be changed without changing all passwords. The
algorithm used can never be changed without changing all passwords.
The overwhelming majority of web-based applications use pre-shared
passwords with FORM-based authentication over TLS. There is zero
reduction in security when compared to HTTP Digest. In both cases,
hashes can be stored on the server-side which is of course a best-practice.
HTTP Digest is a nightmare, but they are forcing users onto it.
The key is to use SPNEGO in enterprise environments.
What about non-enterprise environments?
IMHO, this is irrelevant for Microsoft. In enterprise you do have at least
SPNEGO or even PKI. For non-enterprise I see only Basic as a viable option.
Except that Microsoft is killing it.
At $work, we use WebDAV over TLS with an OpenLDAP back-end for
authentication. It works great for all employees except those who use
Windows. It seems like every installation of Windows needs a different
hack to get HTTP Basic working when connecting to WebDAV.
There is no "Enterprise" here. There are no Domain Controllers here.
There is no expensive third-party authentication-as-a-service company
here. There is only a standards-compliant service which is not reliably
accessible to users on Microsoft Windows.
And it annoys the hell out of me.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
