Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP-Digest Authentication doesn't work #383

Open
padcom opened this issue Sep 8, 2014 · 1 comment
Open

HTTP-Digest Authentication doesn't work #383

padcom opened this issue Sep 8, 2014 · 1 comment
Labels
bug imported Milestone-TBD Priority-High

Comments

@padcom
Copy link
Member

padcom commented Sep 8, 2014

From [email protected] on November 26, 2013 13:30:01

What steps will reproduce the problem? 1. Set up and verify a working HTTP-Digest-Authentication setup, including a manager user with a hashed password in tomcat-users.xml to verify Digest-Authentication is working first (steps detailed on Tomcat site)
2. Configure the psi-probe Realm to use digest="MD5" like the newly configured Tomcat Manager does
3. Set DIGEST authentication in probe/WEB-INF/web.xml to force it to send Digest headers when authenticating with the user, as you would with the Tomcat Manager application. What is the expected result? Authentication works in the same way as the similarly configured Tomcat Manager application. What happens instead? Authentication fails What version of Probe are you using? 2.3.3 What environment (browser version, Tomcat version, JVM version, server OS)? Chrome 32, Tomcat 7.0.47, JDK 7u45, Ubuntu Please provide any additional information below. (Attach logs or stack traces as files instead of pasting the contents here.) The following HTTP response shows the server is requesting the HTTP-Digest-Authentication correctly (numbers changed to protect the innocent):

HTTP/1.1 401 Unauthorized
Cache-Control: private
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Digest realm="PSI Probe", qop="auth", nonce="1111111111111:abababababababababababababababab", opaque="23598295820985092859025895152251"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 951
Date: Tue, 26 Nov 2013 12:23:16 GMT
Server: Server

However, even through the client sends back the correct user/password combination, they cannot authenticate.

The same user works on Tomcat Manager with Digest Auth enabled.

I was able to make it work by:

  • changing back from DIGEST to BASIC in web.xml
  • changing the Realm tag to remove the digest="MD5" setting
  • changing the password of the user in tomcat-users.xml to be in plaintext

It would be great if this was fixed so that psi-probe could be used as a replacement for Tomcat Manager in more secure environments.

Keep up the great work!
Best Regards,
Neale Rudd
Metawerx Pty Ltd

Original issue: http://code.google.com/p/psi-probe/issues/detail?id=383
@padcom
Copy link
Member Author

padcom commented Sep 8, 2014

From [email protected] on December 12, 2013 08:53:03

Hopefully this is possible using Spring Security.

Summary: HTTP-Digest Authentication doesn't work (was: HTTP-Digest-Authentication broken in psi-probe, but working in Tomcat Manager)
Status: Accepted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug imported Milestone-TBD Priority-High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@padcom