How to use digest authentication in Tomcat 8.5?

Question

I am trying to use the manager application that comes with Tomcat 8.5. However, every time that I try to log on with the password of "test" for the user "admin", it does not work. If I plug in the exact MD5 hash that I obtained from digest.bat, I am able to log in.

Has anyone managed to get this working appropriately?

server.xml

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="md5" />
              <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
        </Realm>

tomcat-users.xml

<?xml version='1.0' encoding='cp1252'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<user username="admin" password="41858d1250c84a1bfb882bcb02b85ba8" roles="admin-gui,manager-gui" />
<user username="test" password="test" roles="manager-gui,admin-gui" />
</tomcat-users>

tomcat webapp manager web.xml excerpt

  <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>TEST</realm-name>
    <!--<realm-name>Tomcat Manager Application</realm-name>-->
  </login-config>

digest.bat output

.\digest.bat -a MD5 -s 0 admin:TEST:test
admin:TEST:test:41858d1250c84a1bfb882bcb02b85ba8

Answer 1

**** Password digest process has been change to tomcat 8.5 version; it has been modified then how it was in tomcat earlier versions

Here is the tomcat password digest process for Tomcat 8.5.x ( we are using algorithm SHA-256 and SHA-512)

1. Change in $CATALINA_BASE/conf/server.xml file:
    a. From 
         <Realm className="org.apache.catalina.realm.LockOutRealm">
                <!-- This Realm uses the UserDatabase configured in the global JNDI
                     resources under the key "UserDatabase".  Any edits
                     that are performed against this UserDatabase are immediately
                     available for use by the Realm.  -->
                <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                        resourceName="UserDatabase"/>
             </Realm>
    b. To
         <Realm className="org.apache.catalina.realm.LockOutRealm">
                <!-- This Realm uses the UserDatabase configured in the global JNDI
                     resources under the key "UserDatabase".  Any edits
                     that are performed against this UserDatabase are immediately
                     available for use by the Realm.  -->
                <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                        resourceName="UserDatabase">
                                <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-512" />
                </Realm>
             </Realm>
2. Create digest password:
    a. Go to location $CATALINA_BASE/bin/ and run digest.sh
        i. For sha-256: 
        [root@aa22 bin]# ./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler xxxxxxxx
        xxxxxxxx:5327b745a19144e34ca40128219ab660b09ff9cf866222c1850a5e7a716db669$1$b4b734709246d25373a730cad709151db47920f79e1a1d65f6772d1307216f1b

        ii. For sha-512:
        [root@aa12 bin]# ./digest.sh -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler xxxxxxxx
        xxxxxxxx:d92d95ae2fab83ca1eafae3b900ae9ab2115eac644935fb35a5973c3032dbcc7$1$c1f8e55b0beb771198ab46a69e1559ae145f172226d6f11ee91d67fde361717ca7498f48e486e4267e810b64e0a9096b16311ddc85b746c0019088462975bc9f

3. Now copy digested password to $CATALINA_BASE/conf/tomcat-users.xml
    a. Replace the plain text password with this digested password and restart tomcat. Make sure; you are using same algo name in server.xml; by which you digested the plain test password.
4. End

Answer 2

Mine worked by following your steps except by placing the CredentialHandler inside the Realm:

<Realm className="org.apache.catalina.realm.LockOutRealm">
   <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
      <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
   </Realm>
</Realm>