search

testdriven / psi-probe

Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
8 stars 1 forks source link

HTTP-Digest Authentication doesn't work #383

Open padcom opened 9 years ago

padcom commented 9 years ago

From ne...@metawerx.net on November 26, 2013 13:30:01

What steps will reproduce the problem? 1. Set up and verify a working HTTP-Digest-Authentication setup, including a manager user with a hashed password in tomcat-users.xml to verify Digest-Authentication is working first (steps detailed on Tomcat site)

  1. Configure the psi-probe Realm to use digest="MD5" like the newly configured Tomcat Manager does
  2. Set DIGEST authentication in probe/WEB-INF/web.xml to force it to send Digest headers when authenticating with the user, as you would with the Tomcat Manager application. What is the expected result? Authentication works in the same way as the similarly configured Tomcat Manager application. What happens instead? Authentication fails What version of Probe are you using? 2.3.3 What environment (browser version, Tomcat version, JVM version, server OS)? Chrome 32, Tomcat 7.0.47, JDK 7u45, Ubuntu Please provide any additional information below. (Attach logs or stack traces as files instead of pasting the contents here.) The following HTTP response shows the server is requesting the HTTP-Digest-Authentication correctly (numbers changed to protect the innocent):

HTTP/1.1 401 Unauthorized Cache-Control: private Expires: Thu, 01 Jan 1970 10:00:00 EST WWW-Authenticate: Digest realm="PSI Probe", qop="auth", nonce="1111111111111:abababababababababababababababab", opaque="23598295820985092859025895152251" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Tue, 26 Nov 2013 12:23:16 GMT Server: Server

However, even through the client sends back the correct user/password combination, they cannot authenticate.

The same user works on Tomcat Manager with Digest Auth enabled.

I was able to make it work by:

It would be great if this was fixed so that psi-probe could be used as a replacement for Tomcat Manager in more secure environments.

Keep up the great work! Best Regards, Neale Rudd Metawerx Pty Ltd

Original issue: http://code.google.com/p/psi-probe/issues/detail?id=383

padcom commented 9 years ago

From MALfunct...@gmail.com on December 12, 2013 08:53:03

Hopefully this is possible using Spring Security.

Summary: HTTP-Digest Authentication doesn't work (was: HTTP-Digest-Authentication broken in psi-probe, but working in Tomcat Manager)
Status: Accepted