You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Peter Otto <Pe...@Arthrex.com> on 2023/11/10 18:27:39 UTC

CredentialHandler not working for MD5

Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
Steps to reproduce.

Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno

tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0


Step 2. Use the digest # and place it in tomcat-users.xml
<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>


Step 3. Edit server.xml and add the CredentialHandler to use MD5

<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
</Realm>
</Realm>



Step 4. Edit the web.xml in manager to say
<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

Step 5 start tomcat and try to access the manager.
On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
and nobueno for the password.

This would work on versions 9.0.73 and earlier

This stopped working from 9.0.74 and onwards.
The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
In other words the text in tomcat-user.xml is the password.

Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.

Thank you all
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark,

On 11/18/23 07:52, Mark Thomas wrote:
> On 17/11/2023 19:36, Christopher Schultz wrote:
> 
>> Is there any reason why SHA-256 is the default? MD5 is the historical 
>> default / only implementation for HTTP DIGEST.
> 
> RFC 7616 (2015)
> 
> Chrome will choose SHA-256 if presented with a choice of SHA-256 and MD5.

Yeah, but doesn't it advertise that in the HTTP request headers?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Mark Thomas <ma...@apache.org>.

On 17/11/2023 19:36, Christopher Schultz wrote:

> Is there any reason why SHA-256 is the default? MD5 is the historical 
> default / only implementation for HTTP DIGEST.

RFC 7616 (2015)

Chrome will choose SHA-256 if presented with a choice of SHA-256 and MD5.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark,

On 11/17/23 03:55, Mark Thomas wrote:
> On 16/11/2023 18:06, Peter Otto wrote:
>>    1.  Configure BASIC auth with clear-text passwords in the Realm and 
>> get
>> that working.
>>    2.  Switch to DIGEST auth with clear-text passwords in the Realm 
>> and get
>> that working.
>>    3.  Then configure DIGEST auth and digested passwords in the Realm.
>> Hi Chris,
>>
>> Step 1 & 2 work
>> Step 3 will not work with the clear txt password, only the digested 
>> password, which means the text password in tomcat-users.xml.   In past 
>> versions of Tomcat, the clear text password would work.
> 
> Testing with the manager application.
> 
> Step 1:
> Use the following user in tomcat-users.xml
> <user username="both" password="tomcat" roles="manager-gui"/>
> 
> Step 2:
> Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
> <auth-method>BASIC</auth-method>
> changed to
> <auth-method>DIGEST</auth-method>
> 
> Step 3:
> Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5 
> digest (rather than default of SHA-256)
> <Context ...>
>    ...
>    <Valve
>      className="org.apache.catalina.authenticator.DigestAuthenticator"
>      algorithms="MD5"
>      />
> </Context>
> 
> Modify Realm configuration in server.xml
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>         resourceName="UserDatabase">
>    <CredentialHandler
>        className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>        algorithm="MD5"
>        />
> </Realm>
> 
> Calculate password value for tomcat-users.xml
> digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
> both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
> Update tomcat-users.xml
> <user username="both" password="802b9260bb5c0837169f99e64aca2fd0" 
> roles="manager-gui"/>
> 
> As expected, this works. I will note it took me a couple of attempts to 
> get right as I had some typos in my configuration.
> 
> If you use the default digest of SHA-256 then you don't need to 
> configure the DigestAuthenticator in the content.xml file.

Is there any reason why SHA-256 is the default? MD5 is the historical 
default / only implementation for HTTP DIGEST.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Peter Otto <Pe...@Arthrex.com>.

Ok thanks.

Got it is now working.

This step was missing.

<Valve   className="org.apache.catalina.authenticator.DigestAuthenticator"
algorithms="MD5" />

We didn’t have to do this before.

No mention of having to edit Digest inside context.xml here
https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html

Tried SHA-256, couldn’t get it to work.  But MD5 does.
Thanks again.

This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark,

On 11/17/23 03:55, Mark Thomas wrote:
> On 16/11/2023 18:06, Peter Otto wrote:
>>    1.  Configure BASIC auth with clear-text passwords in the Realm and 
>> get
>> that working.
>>    2.  Switch to DIGEST auth with clear-text passwords in the Realm 
>> and get
>> that working.
>>    3.  Then configure DIGEST auth and digested passwords in the Realm.
>> Hi Chris,
>>
>> Step 1 & 2 work
>> Step 3 will not work with the clear txt password, only the digested 
>> password, which means the text password in tomcat-users.xml.   In past 
>> versions of Tomcat, the clear text password would work.
> 
> Testing with the manager application.
> 
> Step 1:
> Use the following user in tomcat-users.xml
> <user username="both" password="tomcat" roles="manager-gui"/>
> 
> Step 2:
> Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
> <auth-method>BASIC</auth-method>
> changed to
> <auth-method>DIGEST</auth-method>
> 
> Step 3:
> Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5 
> digest (rather than default of SHA-256)
> <Context ...>
>    ...
>    <Valve
>      className="org.apache.catalina.authenticator.DigestAuthenticator"
>      algorithms="MD5"
>      />
> </Context>
> 
> Modify Realm configuration in server.xml
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>         resourceName="UserDatabase">
>    <CredentialHandler
>        className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>        algorithm="MD5"
>        />
> </Realm>
> 
> Calculate password value for tomcat-users.xml
> digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
> both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
> Update tomcat-users.xml
> <user username="both" password="802b9260bb5c0837169f99e64aca2fd0" 
> roles="manager-gui"/>
> 
> As expected, this works. I will note it took me a couple of attempts to 
> get right as I had some typos in my configuration.
> 
> If you use the default digest of SHA-256 then you don't need to 
> configure the DigestAuthenticator in the content.xml file.
> 
> If you want to default to SHA-256 but fall back to MD5 for clients that 
> don't support DIGEST auth with SHA-256 then you need to next two realms 
> in the LockOut realm.


s/next/nest/

> One you configure all you users with MD5 passwords 
> and MD5 credential handler. The other you configure all your users with 
> SHA256 passwords and a SHA256 credential handler. i.e. you have two 
> Realms that duplicate the user names but use different digests to 
> calculate the passwords.

Peter, while this is entirely technically possible, it's pointless: the 
purpose in hashing passwords is to protect the stored credentials from 
being compromised by either the stewards of those credentials (the 
system administrators) or by some third-party adversary. If you have 
both MD5 and SHA-256 hashes available on the server, an adversary will 
ignore the SHA-256 hashes and use the MD5 hashes instead.

So if you can guarantee that all your clients support SHA-256, then 
that's what you should use. Otherwise, you will be stuck with MD5 
forever, anyway, so you may as well have a less needlessly-complicated 
configuration.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Mark Thomas <ma...@apache.org>.

On 16/11/2023 18:06, Peter Otto wrote:
>    1.  Configure BASIC auth with clear-text passwords in the Realm and get
> that working.
>    2.  Switch to DIGEST auth with clear-text passwords in the Realm and get
> that working.
>    3.  Then configure DIGEST auth and digested passwords in the Realm.
> Hi Chris,
> 
> Step 1 & 2 work
> Step 3 will not work with the clear txt password, only the digested password, which means the text password in tomcat-users.xml.   In past versions of Tomcat, the clear text password would work.

Testing with the manager application.

Step 1:
Use the following user in tomcat-users.xml
<user username="both" password="tomcat" roles="manager-gui"/>

Step 2:
Edit $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
<auth-method>BASIC</auth-method>
changed to
<auth-method>DIGEST</auth-method>

Step 3:
Edit $CATALINA_BASE/webapps/manager/META-INF/context.xml to specify MD5 
digest (rather than default of SHA-256)
<Context ...>
   ...
   <Valve
     className="org.apache.catalina.authenticator.DigestAuthenticator"
     algorithms="MD5"
     />
</Context>

Modify Realm configuration in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
        resourceName="UserDatabase">
   <CredentialHandler
       className="org.apache.catalina.realm.MessageDigestCredentialHandler"
       algorithm="MD5"
       />
</Realm>

Calculate password value for tomcat-users.xml
digest.sh -a MD5 -s 0 \"both:Tomcat Manager Application:tomcat\"
both:Tomcat Manager Application:tomcat:802b9260bb5c0837169f99e64aca2fd0
Update tomcat-users.xml
<user username="both" password="802b9260bb5c0837169f99e64aca2fd0" 
roles="manager-gui"/>

As expected, this works. I will note it took me a couple of attempts to 
get right as I had some typos in my configuration.

If you use the default digest of SHA-256 then you don't need to 
configure the DigestAuthenticator in the content.xml file.

If you want to default to SHA-256 but fall back to MD5 for clients that 
don't support DIGEST auth with SHA-256 then you need to next two realms 
in the LockOut realm. One you configure all you users with MD5 passwords 
and MD5 credential handler. The other you configure all your users with 
SHA256 passwords and a SHA256 credential handler. i.e. you have two 
Realms that duplicate the user names but use different digests to 
calculate the passwords.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Peter,

On 11/16/23 13:06, Peter Otto wrote:
>    1.  Configure BASIC auth with clear-text passwords in the Realm and get
> that working.
>    2.  Switch to DIGEST auth with clear-text passwords in the Realm and get
> that working.
>    3.  Then configure DIGEST auth and digested passwords in the Realm.
> Hi Chris,
> 
> Step 1 & 2 work

Good.

> Step 3 will not work with the clear txt password, only the digested password, which means the text password in tomcat-users.xml.   In past versions of Tomcat, the clear text password would work.

What does your Authentication request header look like?

> On line # 1154 in Realmbase.java we read.
> 
> 
> String digestValue = username + ":" + realmName + ":" +  getPassword(username);
> 
> The method getPassword(username) is using the digested password, when it should use  the clear text password.
> 
> Here is how I run digest in powershell.
> .\digest.bat -a MD5 -i 1 -s 0 tomcat:UserDatabase:nobueno
> 
> RealmBase.java is not using the clear text password, instead it is using the digested password. This will return false for the manager access.
> 
> When I replace the getPassword(username) and replace it with the clear text password, it will then WORK.

How did you configure things for Mark's #3 task above? Including the 
commands you used to generate the stored-credential?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Peter Otto <Pe...@Arthrex.com>.

1. Configure BASIC auth with clear-text passwords in the Realm and get
that working.
2. Switch to DIGEST auth with clear-text passwords in the Realm and get
that working.
3. Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,

Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested password, which means the text password in tomcat-users.xml. In past versions of Tomcat, the clear text password would work.

On line # 1154 in Realmbase.java we read.

String digestValue = username + ":" + realmName + ":" + getPassword(username);

The method getPassword(username) is using the digested password, when it should use the clear text password.

Here is how I run digest in powershell.
.\digest.bat -a MD5 -i 1 -s 0 tomcat:UserDatabase:nobueno

RealmBase.java is not using the clear text password, instead it is using the digested password. This will return false for the manager access.

When I replace the getPassword(username) and replace it with the clear text password, it will then WORK.
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Mark Thomas <ma...@apache.org>.

You are confusing DIGEST authentication and digested passwords. The two 
are separate but related processes. If you use both, you do need to 
ensure that they are using the same digest.

There is no need to modify code. This call all be controlled via 
configuration.

https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Digested_Passwords

Look for "If using digested passwords with DIGEST authentication"

I suggest you do this in stages.

1. Configure BASIC auth with clear-text passwords in the Realm and get 
that working.
2. Switch to DIGEST auth with clear-text passwords in the Realm and get 
that working.
3. Then configure DIGEST auth and digested passwords in the Realm.

Mark



On 14/11/2023 00:04, Peter Otto wrote:
> More info….
> 
> 
> 
> In the Request Header-> Authorization->Response.  Response is used as the clientDigest.  However this response is generated, it is incorrect.
> 
> Need to understand where Tomcat generates this Response because it is used for comparison of the serverDigest.  And if the server digest equals the clientDigest, then it works.
> 
> 
> 
> The way I understand it, the clientDigest comes from the client entering in the username/pwd on the popup box.
> 
> 
> 
> 
> From: Peter Otto <Pe...@Arthrex.com>
> Date: Monday, November 13, 2023 at 11:05 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: CredentialHandler not working for MD5
> Chris,
> 
> Running the debugger, I found out the DigestAuthenticator wants to use SHA-256.   8 months ago there was a change for RFC 7616.
> https://urldefense.com/v3/__https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$<https://urldefense.com/v3/__https:/github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$>
> 
> To bypass the array of digest,
> I commented out some code so it was forced to use MD5 only.
> 
> But In the RealmBase, I really don’t understand what getDigest is doing.
> When I create a MD5 digest, I use Username:Realm:Password.
> In the code it is using Nonce, nc, cnonce, gop…..
> 
> 
> 
> 
> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, November 10, 2023 at 1:44 PM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: CredentialHandler not working for MD5
> Peter,
> 
> On 11/10/23 16:30, Peter Otto wrote:
>> With 9.0.82, and the latest version 10, I get the same problem.
>> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
>>
>> Removing the Realm LockOutRealm did not work either.
> 
> Thanks for double-checking both of those.
> 
> I don't see anything in the changelog that seems like it would be
> related. Thing I suspect are related were in an earlier release.
> 
> Are you able to run under a debugger, and are you comfortable doing
> that? It's pretty easy to set a breakpoint in the Realm and/or
> CredentialHandler to see what's being done when you try to authenticate.
> 
> -chris
> 
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Date: Friday, November 10, 2023 at 12:35 PM
>> To: users@tomcat.apache.org <us...@tomcat.apache.org>
>> Subject: Re: CredentialHandler not working for MD5
>> Peter,
>>
>> On 11/10/23 13:27, Peter Otto wrote:
>>> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
>>> Steps to reproduce.
>>>
>>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
>>>
>>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>>
>>>
>>> Step 2. Use the digest # and place it in tomcat-users.xml
>>> <role rolename="manager-script"/>
>>> <role rolename="manager-gui"/>
>>> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
>>>
>>>
>>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>>
>>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
>>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>>> </Realm>
>>> </Realm>
>>>
>>>
>>>
>>> Step 4. Edit the web.xml in manager to say
>>> <login-config>
>>>        <auth-method>DIGEST</auth-method>
>>>        <realm-name>UserDatabase</realm-name>
>>>      </login-config>
>>>
>>> Step 5 start tomcat and try to access the manager.
>>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>>> and nobueno for the password.
>>>
>>> This would work on versions 9.0.73 and earlier
>>>
>>> This stopped working from 9.0.74 and onwards.
>>> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>>> In other words the text in tomcat-user.xml is the password.
>>>
>>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.
>>
>> If you temporarily remove the LockOutRealm, does the correct password work?
>>
>> If you upgrade to 9.0.82, does the correct password work?
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Peter Otto <Pe...@Arthrex.com>.

More info….



In the Request Header-> Authorization->Response.  Response is used as the clientDigest.  However this response is generated, it is incorrect.

Need to understand where Tomcat generates this Response because it is used for comparison of the serverDigest.  And if the server digest equals the clientDigest, then it works.



The way I understand it, the clientDigest comes from the client entering in the username/pwd on the popup box.




From: Peter Otto <Pe...@Arthrex.com>
Date: Monday, November 13, 2023 at 11:05 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Chris,

Running the debugger, I found out the DigestAuthenticator wants to use SHA-256.   8 months ago there was a change for RFC 7616.
https://urldefense.com/v3/__https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$<https://urldefense.com/v3/__https:/github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$>

To bypass the array of digest,
I commented out some code so it was forced to use MD5 only.

But In the RealmBase, I really don’t understand what getDigest is doing.
When I create a MD5 digest, I use Username:Realm:Password.
In the code it is using Nonce, nc, cnonce, gop…..




From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, November 10, 2023 at 1:44 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 16:30, Peter Otto wrote:
> With 9.0.82, and the latest version 10, I get the same problem.
> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
>
> Removing the Realm LockOutRealm did not work either.

Thanks for double-checking both of those.

I don't see anything in the changelog that seems like it would be
related. Thing I suspect are related were in an earlier release.

Are you able to run under a debugger, and are you comfortable doing
that? It's pretty easy to set a breakpoint in the Realm and/or
CredentialHandler to see what's being done when you try to authenticate.

-chris

> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, November 10, 2023 at 12:35 PM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: CredentialHandler not working for MD5
> Peter,
>
> On 11/10/23 13:27, Peter Otto wrote:
>> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
>> Steps to reproduce.
>>
>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
>>
>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>
>>
>> Step 2. Use the digest # and place it in tomcat-users.xml
>> <role rolename="manager-script"/>
>> <role rolename="manager-gui"/>
>> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
>>
>>
>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>
>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>> </Realm>
>> </Realm>
>>
>>
>>
>> Step 4. Edit the web.xml in manager to say
>> <login-config>
>>       <auth-method>DIGEST</auth-method>
>>       <realm-name>UserDatabase</realm-name>
>>     </login-config>
>>
>> Step 5 start tomcat and try to access the manager.
>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>> and nobueno for the password.
>>
>> This would work on versions 9.0.73 and earlier
>>
>> This stopped working from 9.0.74 and onwards.
>> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>> In other words the text in tomcat-user.xml is the password.
>>
>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.
>
> If you temporarily remove the LockOutRealm, does the correct password work?
>
> If you upgrade to 9.0.82, does the correct password work?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Peter Otto <Pe...@Arthrex.com>.

Chris,

Running the debugger, I found out the DigestAuthenticator wants to use SHA-256.   8 months ago there was a change for RFC 7616.
https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java

To bypass the array of digest,
I commented out some code so it was forced to use MD5 only.

But In the RealmBase, I really don’t understand what getDigest is doing.
When I create a MD5 digest, I use Username:Realm:Password.
In the code it is using Nonce, nc, cnonce, gop…..




From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, November 10, 2023 at 1:44 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 16:30, Peter Otto wrote:
> With 9.0.82, and the latest version 10, I get the same problem.
> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
>
> Removing the Realm LockOutRealm did not work either.

Thanks for double-checking both of those.

I don't see anything in the changelog that seems like it would be
related. Thing I suspect are related were in an earlier release.

Are you able to run under a debugger, and are you comfortable doing
that? It's pretty easy to set a breakpoint in the Realm and/or
CredentialHandler to see what's being done when you try to authenticate.

-chris

> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, November 10, 2023 at 12:35 PM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: CredentialHandler not working for MD5
> Peter,
>
> On 11/10/23 13:27, Peter Otto wrote:
>> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
>> Steps to reproduce.
>>
>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
>>
>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>
>>
>> Step 2. Use the digest # and place it in tomcat-users.xml
>> <role rolename="manager-script"/>
>> <role rolename="manager-gui"/>
>> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
>>
>>
>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>
>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>> </Realm>
>> </Realm>
>>
>>
>>
>> Step 4. Edit the web.xml in manager to say
>> <login-config>
>>       <auth-method>DIGEST</auth-method>
>>       <realm-name>UserDatabase</realm-name>
>>     </login-config>
>>
>> Step 5 start tomcat and try to access the manager.
>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>> and nobueno for the password.
>>
>> This would work on versions 9.0.73 and earlier
>>
>> This stopped working from 9.0.74 and onwards.
>> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>> In other words the text in tomcat-user.xml is the password.
>>
>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.
>
> If you temporarily remove the LockOutRealm, does the correct password work?
>
> If you upgrade to 9.0.82, does the correct password work?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Peter,

On 11/10/23 16:30, Peter Otto wrote:
> With 9.0.82, and the latest version 10, I get the same problem.
> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
> 
> Removing the Realm LockOutRealm did not work either.

Thanks for double-checking both of those.

I don't see anything in the changelog that seems like it would be 
related. Thing I suspect are related were in an earlier release.

Are you able to run under a debugger, and are you comfortable doing 
that? It's pretty easy to set a breakpoint in the Realm and/or 
CredentialHandler to see what's being done when you try to authenticate.

-chris

> From: Christopher Schultz <ch...@christopherschultz.net>
> Date: Friday, November 10, 2023 at 12:35 PM
> To: users@tomcat.apache.org <us...@tomcat.apache.org>
> Subject: Re: CredentialHandler not working for MD5
> Peter,
> 
> On 11/10/23 13:27, Peter Otto wrote:
>> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
>> Steps to reproduce.
>>
>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
>>
>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>
>>
>> Step 2. Use the digest # and place it in tomcat-users.xml
>> <role rolename="manager-script"/>
>> <role rolename="manager-gui"/>
>> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
>>
>>
>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>
>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>> </Realm>
>> </Realm>
>>
>>
>>
>> Step 4. Edit the web.xml in manager to say
>> <login-config>
>>       <auth-method>DIGEST</auth-method>
>>       <realm-name>UserDatabase</realm-name>
>>     </login-config>
>>
>> Step 5 start tomcat and try to access the manager.
>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>> and nobueno for the password.
>>
>> This would work on versions 9.0.73 and earlier
>>
>> This stopped working from 9.0.74 and onwards.
>> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>> In other words the text in tomcat-user.xml is the password.
>>
>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.
> 
> If you temporarily remove the LockOutRealm, does the correct password work?
> 
> If you upgrade to 9.0.82, does the correct password work?
> 
> -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CredentialHandler not working for MD5

Posted by Peter Otto <Pe...@Arthrex.com>.

Chris,

With 9.0.82, and the latest version 10, I get the same problem.
So I assume it stopped working since 9.0.74 all the way up to 9.0.82

Removing the Realm LockOutRealm did not work either.

Thanks


From: Christopher Schultz <ch...@christopherschultz.net>
Date: Friday, November 10, 2023 at 12:35 PM
To: users@tomcat.apache.org <us...@tomcat.apache.org>
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 13:27, Peter Otto wrote:
> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
> Steps to reproduce.
>
> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
>
> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>
>
> Step 2. Use the digest # and place it in tomcat-users.xml
> <role rolename="manager-script"/>
> <role rolename="manager-gui"/>
> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
>
>
> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
> </Realm>
> </Realm>
>
>
>
> Step 4. Edit the web.xml in manager to say
> <login-config>
>      <auth-method>DIGEST</auth-method>
>      <realm-name>UserDatabase</realm-name>
>    </login-config>
>
> Step 5 start tomcat and try to access the manager.
> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
> and nobueno for the password.
>
> This would work on versions 9.0.73 and earlier
>
> This stopped working from 9.0.74 and onwards.
> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
> In other words the text in tomcat-user.xml is the password.
>
> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.

If you temporarily remove the LockOutRealm, does the correct password work?

If you upgrade to 9.0.82, does the correct password work?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 239-643-5553 and delete this message immediately from your computer. Any other use, retention, dissemination forwarding, printing or copying of this e-mail is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, while Arthrex uses virus protection, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Re: CredentialHandler not working for MD5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Peter,

On 11/10/23 13:27, Peter Otto wrote:
> Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
> Steps to reproduce.
> 
> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno
> 
> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
> 
> 
> Step 2. Use the digest # and place it in tomcat-users.xml
> <role rolename="manager-script"/>
> <role rolename="manager-gui"/>
> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/>
> 
> 
> Step 3. Edit server.xml and add the CredentialHandler to use MD5
> 
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
> </Realm>
> </Realm>
> 
> 
> 
> Step 4. Edit the web.xml in manager to say
> <login-config>
>      <auth-method>DIGEST</auth-method>
>      <realm-name>UserDatabase</realm-name>
>    </login-config>
> 
> Step 5 start tomcat and try to access the manager.
> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
> and nobueno for the password.
> 
> This would work on versions 9.0.73 and earlier
> 
> This stopped working from 9.0.74 and onwards.
> The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
> In other words the text in tomcat-user.xml is the password.
> 
> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat because of CVEs.

If you temporarily remove the LockOutRealm, does the correct password work?

If you upgrade to 9.0.82, does the correct password work?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org