I have a Tomcat server running (not for topbarbee anymore) and wanted to put a bit more security around logins to it. So I wanted to do 2 things –
- Add digested passwords in Tomcat’s tomcat-users.xml
- Make logins sent from the web browser sent as a digest authentication
Simple, no?
First, it appears that the digest authentication mechanism only supports MD5 which is a strike against it right off. I tried SHA-256 and even SHA but neither worked. I assume this is because the browser only supports MD5 authentication. Still MD5 is better than plaintext so I’m going with it. Mind I also generally require secure connections so that really covers it but I like having the digest auth there too in case someone slips up and doesn’t use the secure connection. I realize also I can force a secure connection in Tomcat but I’ve another webserver for the front-end and I couldn’t figure out how to force the proxying to force secure connections for the Tomcat auth. Perhaps that’ll be a later day post, it’s probably something simple too.
For 1-Add digested passwords in Tomcat’s tomcat-users.xml
To digest passwords in Tomcat you just need to edit the server.xml, find the Realm section, and add the digest tag like below:
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase” digest=”MD5″/>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase” digest=”SHA-256″/>
Then you need to update your login info in tomcat-users.xml to use the digested version of the password:
<user username=”role1″ password=”7aed333e4ace5addb25069849b40a1ae5935a4e653d2467928453906598b90f5″ roles=”role1″/>
You can get that a number of ways. It is easiest to just use Tomcat’s digest script (which lives in the Tomcat bin folder it seems) like so:
./digest.sh -a MD5 password
For 2 – Make logins sent from the web browser sent as a digest authentication
To do this you need to edit your web.xml for your application to have the application support digest authentication for a given realm. That takes adding the following bits to your web.xml.
<login-config><auth-method>DIGEST</auth-method>
<realm-name>Realm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>
Restricted Zone for me
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
The role that is required to access these pages
</description>
<role-name>role1</role-name>
</security-role>
From this note I reference the same role1 as in the tomcat-users.xml. I also call the realm ‘Realm’. You could call that anything but it ties into the next thing. Next you need to create a digested password to put into tomcat-users.xml that references the realm you specify above. To do that you call digest.sh with a bit more info:
./digest.sh -a MD5 user:realm:password
So one other thing to note is you cannot use the same username between multiple realms that I can tell since the user can only have one password and you cannot enter the same user twice in tomcat-user.xml. Correct me on that if I’m wrong. Perhaps it works with a different Tomcat user realm but I can live with realm specific usernames for now.
Hopefully that sames someone time (perhaps even year older me)!