I am toying with tomcat security for servlets. In my server.xml I have
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA"/>
and in my tomcat-users.xml
<user username="zenon" password="qazxsw" roles="proby"/>
<user username="andrzej" password="1c29cf0ceb89afce131e27b76c18af1e9cf7f5e3" roles="admin-gui,manager-gui,proby,role1"/>
web.xml of very simple application
<security-constraint>
<display-name>No Pasaran</display-name>
<web-resource-collection>
<web-resource-name>Tylko dla memberow</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>proby</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
so when auth-method is BASIC I can log in with username:andrzej and password:qazxsw (this long password of andrzej is SHA of qazxsw) so it seems that now when I send password he already is digesting it before comparing.
I think so because when i use DIGEST as auth-method I can’t log in, is he digesting password twice before comparing it?
If yes is there any other way then https to secure such things on container level?
First of all HTTP DIGEST doesn’t use SHA, it uses MD5, unfortunately. You will need to replace SHA with MD5 in both your Realm defined in
server.xmland in the command line you use to generate password digests.Then, as Tomcat documentation suggests in case your realm passwords are digested the ways to generate passwords for BASIC and DIGEST auth mechanisms are different. So you can’t possibly use the same password digest to test both BASIC and DIGEST methods.
In case of BASIC you generate password digest with this:
and in case of DIGEST it is: