You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/03/26 06:08:42 UTC
DO NOT REPLY [Bug 52983] New: DIGEST auth broken on 6.0.x manager
app because of redundant WWW-Authenticate header in 401.jsp
https://issues.apache.org/bugzilla/show_bug.cgi?id=52983
Bug #: 52983
Summary: DIGEST auth broken on 6.0.x manager app because of
redundant WWW-Authenticate header in 401.jsp
Product: Tomcat 6
Version: 6.0.35
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Manager application
AssignedTo: dev@tomcat.apache.org
ReportedBy: neale@metawerx.net
Classification: Unclassified
Created attachment 28505
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28505
patch against 6.0.x trunk removing problematic lines from 401.jsp
The Manager app in 6.0.35 sets WWW-Authenticate in 401.jsp.
However, this seems to be already set elsewhere, and as a result of setting it
again in 401.jsp, DIGEST mode can not be used for the manager app.
>From what I can see, this is fixed in 7.0.x but doesn't seem to have been
backported to 6.0.x yet.
The result is that DIGEST for Tomcat Manager can't be used on Tomcat 6 which is
still very popular.
To demonstrate, I changed 401.jsp to set the header name to
WWW-AuthenticateREDUNDANT and here is the result:
For BASIC:
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Set-Cookie: JSESSIONID=****removed****; Path=/manager
WWW-AuthenticateREDUNDANT: Basic realm="Tomcat Manager Application"
Content-Type: text/html
Transfer-Encoding: chunked
Vary: Accept-Encoding
Date: Mon, 26 Mar 2012 03:39:09 GMT
Server: Coyote
For DIGEST:
HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Digest realm="Tomcat Manager Application", qop="auth",
nonce="****removed****", opaque="****removed****"
Set-Cookie: JSESSIONID=****removed****; Path=/manager
WWW-AuthenticateREDUNDANT: Basic realm="Tomcat Manager Application"
Content-Type: text/html
Transfer-Encoding: chunked
Vary: Accept-Encoding
Date: Mon, 26 Mar 2012 03:44:07 GMT
Server: Coyote
You can clearly see the REDUNDANT header being set here by 401.jsp.
To fix on my local versions, I simply removed the line in 401.jsp (patch1.txt).
However, this deserves a cross-check by someone else before being committed in
case there's some situation where it would remove authentication altogether.
An alternative solution for this version is to check if the header is set, and
only add it where it's not already present (patch2.txt):
if(!response.containsHeader("WWW-Authenticate"))
response.setHeader("WWW-Authenticater", "Basic realm=\"Tomcat Manager
Application\"");
... but I'll leave that up to you.
Best Regards,
Neale
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52983] DIGEST auth broken on 6.0.x manager app
because of redundant WWW-Authenticate header in 401.jsp
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52983
--- Comment #1 from Neale Rudd <ne...@metawerx.net> 2012-03-26 04:09:36 UTC ---
Created attachment 28506
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28506
patch against 6.0.x trunk eliminating redundant header after checking if it
already exists
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52983] DIGEST auth broken on 6.0.x manager app
because of redundant WWW-Authenticate header in 401.jsp
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52983
Neale Rudd <ne...@metawerx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #28505|0 |1
is patch| |
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52983] DIGEST auth broken on 6.0.x manager app
because of redundant WWW-Authenticate header in 401.jsp
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52983
--- Comment #2 from Mark Thomas <ma...@apache.org> 2012-03-29 14:16:08 UTC ---
I've proposed the fix that was applied to trunk and 7.0.x for 6.0.x.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 52983] DIGEST auth broken on 6.0.x manager app because of
redundant WWW-Authenticate header in 401.jsp
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52983
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
Fixed in 6.0 by r1343369 and r1343405 and will be in 6.0.36
In 7.0 it is already fixed by r1084103 which is included in 7.0.12.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org