You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/01/30 10:50:01 UTC
DO NOT REPLY [Bug 52557] New: DIGEST AUTH is broken
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
Bug #: 52557
Summary: DIGEST AUTH is broken
Product: Tomcat 6
Version: 6.0.33
Platform: PC
OS/Version: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: savar@schuldeigen.de
Classification: Unclassified
Hi,
we have some weird issues since we tried to switch from tomcat 6.0.32 to
6.0.35.
We're using authentication with DIGEST and we saw a big rewrite in 6.0.33 and
the
rewrite was necessary (like said in the changelog) because of the DIGEST didn't
really worked.
When we're trying to enable 6.0.35 there are some clients haven't any problem
and
some clients have periodical issues (20 to 80% fails, depending on client or
location, so locally accessed or via the network). "curl" is one of them and so
maybe most
of the clients using libcurl or whatever.
Because of the fact that as quicker the requests will be send (while loop) the
more errors
occur so maybe a time issue (timestamp in the nonce maybe?).
System in use:
production systems:
Server side:
- JAVA:
java -version
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Server VM (build 19.1-b02, mixed mode)
- Kernel:
2.6.35 (self compiled)
Client side (for curl tests):
- same like on server (test worked also on server side with using
localhost)
local system for testing with vanilla stuff:
- JAVA:
java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
- Kernel:
3.1.0-1-amd64 (Debian Testing)
What we see:
curl to an DIGEST authentication secured page gives normal 401 response with
WWW-Authenticate in it and the second request gives a 200 OK. But the
directly
next request fails with a 401 also on the second response.
How to reproduce:
Download the tomcat 6.0.35 package from
http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.35/src/apache-tomcat-6.0.35-src.tar.gz
and extract it to somewhere.
Use the patches below to enable DIGEST for the
http://localhost:8080/manager/html site
and execute multiple times (in a while loop maybe with a sleep of 0.2):
curl localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
When i test it with:
while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null |egrep "(HTTP|Auth)"| grep 200; sleep 1; done
there are no errors but with
while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null |egrep "(HTTP|Auth)"| grep 200; sleep 0.5; done
there are sometimes errors and with a sleep of 0.1 there are many many
errors.
################################ PATCHES ##################################
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u conf/server.xml
output/build/conf/server.xml
--- conf/server.xml 2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/server.xml 2012-01-26 14:05:25.000000000 +0100
@@ -120,7 +120,8 @@
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
+ resourceName="UserDatabase"
+ digest="MD5" />
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
conf/tomcat-users.xml output/build/conf/tomcat-users.xml
--- conf/tomcat-users.xml 2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/tomcat-users.xml 2012-01-26 14:06:12.000000000 +0100
@@ -26,6 +26,8 @@
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
+ <role rolename="manager"/>
+ <user username="test" password="8d6db5856fdcd4d166914bfda9ffda86"
roles="manager"/>
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
webapps/manager/WEB-INF/web.xml output/build/webapps/manager/WEB-INF/web.xml
--- webapps/manager/WEB-INF/web.xml 2011-11-28 11:22:46.000000000 +0100
+++ output/build/webapps/manager/WEB-INF/web.xml 2012-01-26
14:06:01.000000000 +0100
@@ -248,8 +248,8 @@
<!-- Define the Login Configuration for this Application -->
<login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Tomcat Manager Application</realm-name>
+ <auth-method>DIGEST</auth-method>
+ <realm-name>Tomcat Manager Application TEST</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
@@ -284,6 +284,7 @@
<role-name>manager</role-name>
</security-role>
+<!--
<error-page>
<error-code>401</error-code>
<location>/401.jsp</location>
@@ -292,5 +293,5 @@
<error-code>403</error-code>
<location>/403.jsp</location>
</error-page>
-
+-->
</web-app>
=============================================
################################ HOW THE PASSWORD STUFF WAS GENERATED
##################################
$ ./bin/digest.sh -a MD5 "test:Tomcat Manager Application TEST:test"
test:Tomcat Manager Application TEST:test:8d6db5856fdcd4d166914bfda9ffda86
################################ EXAMPLE OUTPUT
##################################
############# First run ###########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
* Trying ::1... % Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
* Ignoring the response-body
{ [data not shown]
100 954 100 954 0 0 310k 0 --:--:-- --:--:-- --:--:-- 465k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application TEST", nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c", uri="/manager/html", cnonce="Mjc3NDU2", nc=00000001, qop="auth", response="eb67cc859946b8c5ad37222be0cd8ab4", opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Set-Cookie: JSESSIONID=F04781AE79D6D5F4B8F4C989E1B53F74; Path=/manager;
HttpOnly
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
{ [data not shown]
1661 954 1661 15851 0 0 1802k 0 --:--:-- --:--:-- --:--:--
1802k
* Connection #0 to host localhost left intact
* Closing connection #0
############# Second run directly after the first one ##########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
* Trying ::1... % Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
* Ignoring the response-body
{ [data not shown]
100 954 100 954 0 0 416k 0 --:--:-- --:--:-- --:--:-- 931k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application TEST", nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b", uri="/manager/html", cnonce="Mjc3NDk1", nc=00000001, qop="auth", response="62e4ddfadda157b2f4460431ebaa4e20", opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498776:6eccf77a482bee58433632f82e8ba695",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
{ [data not shown]
100 954 100 954 0 0 267k 0 --:--:-- --:--:-- --:--:-- 267k
* Connection #0 to host localhost left intact
* Closing connection #0
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
--- Comment #1 from savar@schuldeigen.de 2012-01-30 09:55:24 UTC ---
Created attachment 28224
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28224
patch for tomcat-users
to test the issue this is one of three patches
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
--- Comment #3 from savar@schuldeigen.de 2012-01-30 09:56:12 UTC ---
Created attachment 28226
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28226
patch for web.xml
to test the issue this is one of three patches
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
--- Comment #2 from savar@schuldeigen.de 2012-01-30 09:55:46 UTC ---
Created attachment 28225
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28225
patch for server.xml
to test the issue this is one of three patches
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
savar@schuldeigen.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |savar@schuldeigen.de
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
--- Comment #6 from savar@schuldeigen.de 2012-01-30 16:09:46 UTC ---
Many thanks for the explanation. Ok it is not a curl bug also because in a
while loop the curl never knows anything about the previous request but when i
do something like this:
curl -v --digest -u test:test localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html localhost:8080/manager/html
localhost:8080/manager/html 2>&1 > /dev/null
then it works with an growing nc= value.. so i know where to search next!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #5 from Mark Thomas <ma...@apache.org> 2012-01-30 10:29:17 UTC ---
curl is re-using cnonce values without incrementing the nonce-count as required
by RFC2617. You can see this with the following access log configuration:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b %{authorization}i" />
Since this appears to be a replay attack, Tomcat correctly rejects the
requests.
It looks like curl changes the cnonce every second but never changes the nonce
count which is why you only see failures when the delay is less than one second
and also why the percentage of failures increases as the loop gets tighter.
There is a bug here but it is in curl, not Tomcat.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52557] DIGEST AUTH is broken
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
--- Comment #4 from savar@schuldeigen.de 2012-01-30 09:56:48 UTC ---
Added the patches for testing as attachments to prevent line wrapping..
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org