How to use digest authentication in Tomcat 8.5?

Question

I am trying to use the manager application that comes with Tomcat 8.5. However, every time that I try to log on with the password of \"test\" for the user \"admin\", it does

Answer 1

Mine worked by following your steps except by placing the CredentialHandler inside the Realm:

<Realm className="org.apache.catalina.realm.LockOutRealm">
   <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
      <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
   </Realm>
</Realm>

Answer 2

Here's how you do it in 4 simple steps. Some of the above advice was missing some of the steps (like Step # 4). Also, -s 0 (salt 0) when generating the hash will work also.

1) Generate password: /bin>digest.bat -s 0 -a sha-256

Example: /bin>digest.bat -s 0 -a sha-256 admin

Password to use is: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

*Important note: You must use “-s 0 “(salt 0) or it won’t work.

2) paste password above into your tomcat-users.xml file.

Example:

<!-- for password “admin” -->
<user username="tomcat" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="manager-gui,manager,admin"></user>

3) configure server.xml to use SHA-256 digest hashed based passwords:

<Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
        <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" /> 
    </Realm>
</Realm>

4) configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)

 <catalina_home>/webapps/manager\WEB-INF\web.xml

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>UserDatabase</realm-name> 
    </login-config>

Full context:
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>

… SNIPPED_FOR_BREVITY ...   

    <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

    <multipart-config>
      <!-- 50MB max -->
      <max-file-size>52428800</max-file-size>
      <max-request-size>52428800</max-request-size>
      <file-size-threshold>0</file-size-threshold>
    </multipart-config>
  </servlet>

Answer 3

I don't think that it is not easy to choose the algorithm if using DIGEST. (At least I failed...) According the docs https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#Digested_Passwords -- "If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different and the digest must use one iteration of the MD5 algorithm with no salt." Sounds for me that you have to use md5 at least once. It would be much easier to get rid of md5 with form based auth etc.

Answer 4

**** Password digest process has been change to tomcat 8.5 version; it has been modified then how it was in tomcat earlier versions

Here is the tomcat password digest process for Tomcat 8.5.x ( we are using algorithm SHA-256 and SHA-512)

1. Change in $CATALINA_BASE/conf/server.xml file:
    a. From 
         <Realm className="org.apache.catalina.realm.LockOutRealm">
                <!-- This Realm uses the UserDatabase configured in the global JNDI
                     resources under the key "UserDatabase".  Any edits
                     that are performed against this UserDatabase are immediately
                     available for use by the Realm.  -->
                <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                        resourceName="UserDatabase"/>
             </Realm>
    b. To
         <Realm className="org.apache.catalina.realm.LockOutRealm">
                <!-- This Realm uses the UserDatabase configured in the global JNDI
                     resources under the key "UserDatabase".  Any edits
                     that are performed against this UserDatabase are immediately
                     available for use by the Realm.  -->
                <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                        resourceName="UserDatabase">
                                <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-512" />
                </Realm>
             </Realm>
2. Create digest password:
    a. Go to location $CATALINA_BASE/bin/ and run digest.sh
        i. For sha-256: 
        [root@aa22 bin]# ./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler xxxxxxxx
        xxxxxxxx:5327b745a19144e34ca40128219ab660b09ff9cf866222c1850a5e7a716db669$1$b4b734709246d25373a730cad709151db47920f79e1a1d65f6772d1307216f1b

        ii. For sha-512:
        [root@aa12 bin]# ./digest.sh -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler xxxxxxxx
        xxxxxxxx:d92d95ae2fab83ca1eafae3b900ae9ab2115eac644935fb35a5973c3032dbcc7$1$c1f8e55b0beb771198ab46a69e1559ae145f172226d6f11ee91d67fde361717ca7498f48e486e4267e810b64e0a9096b16311ddc85b746c0019088462975bc9f

3. Now copy digested password to $CATALINA_BASE/conf/tomcat-users.xml
    a. Replace the plain text password with this digested password and restart tomcat. Make sure; you are using same algo name in server.xml; by which you digested the plain test password.
4. End