Tomcat Digest with Manager WebApp

Question

I'm trying to get a digest password setup for the tomcat manager application.

I've got

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase" digest="MD5"/>

in my tomcat server.xml changed the manager web application's web.xml to use digest and changed the realm name to TESTING:

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>TESTING</realm-name>
  </login-config>

I then used the included bat file to generate the md5 hash:

C:\tomcat6\bin>digest.bat -a MD5 tomcat:TESTING:testor
tomcat:TESTING:testor:1926e50988667dbd5deda9df02b82f28

I then have a user in tomcat-users.xml with that digested hash as a password:

<!-- testor -->
  <user username="tomcat" password="1926e50988667dbd5deda9df02b82f28" roles="manager"/>

I've also modifed the 401.jsp page to use digest and TESTING as the realm name.

I start up the web app, go to http://localhost:8080/manager/html and am prompted with the standard form. Typing in tomcat as the user, and testor as the password, I hit enter only to get a 401. I of course try again and again get a 401.

I'll probably go with BASIC authentication over SSL in the end since ant can't do digest, as far as I know.

But is there anyway to do this?

Answer 1

I tried out KiaMorot's answer with Tomcat 8.0.32, but it did not work. It did work when I added the option "-s 0" (salt lenth zero) when generating the digested password:

sudo /opt/apache-tomcat-8.0.32/bin/digest.sh -s 0 -a MD5 'developer:UserDatabase:my clear text password'

In this citation of my command I omitted my clear text password and replaced it with the string "my clear text password". Please keep the single quotes, otherwise the shell will interpret special characters in your password.

You can check whether omitting the -s option is your problem as follows. If I do the digest.sh command multiple times without the -s option, I get different results although the command-line of each repetition is the same.