https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
Bug #: 52557
Summary: DIGEST AUTH is broken
Product: Tomcat 6
Version: 6.0.33
Platform: PC
OS/Version: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: sa...@schuldeigen.de
Classification: Unclassified
Hi,
we have some weird issues since we tried to switch from tomcat 6.0.32 to
6.0.35.
We're using authentication with DIGEST and we saw a big rewrite in 6.0.33 and
the
rewrite was necessary (like said in the changelog) because of the DIGEST didn't
really worked.
When we're trying to enable 6.0.35 there are some clients haven't any problem
and
some clients have periodical issues (20 to 80% fails, depending on client or
location, so locally accessed or via the network). "curl" is one of them and so
maybe most
of the clients using libcurl or whatever.
Because of the fact that as quicker the requests will be send (while loop) the
more errors
occur so maybe a time issue (timestamp in the nonce maybe?).
System in use:
production systems:
Server side:
- JAVA:
java -version
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Server VM (build 19.1-b02, mixed mode)
- Kernel:
2.6.35 (self compiled)
Client side (for curl tests):
- same like on server (test worked also on server side with using
localhost)
local system for testing with vanilla stuff:
- JAVA:
java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
- Kernel:
3.1.0-1-amd64 (Debian Testing)
What we see:
curl to an DIGEST authentication secured page gives normal 401 response with
WWW-Authenticate in it and the second request gives a 200 OK. But the
directly
next request fails with a 401 also on the second response.
How to reproduce:
Download the tomcat 6.0.35 package from
http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.35/src/apache-tomcat-6.0.35-src.tar.gz
and extract it to somewhere.
Use the patches below to enable DIGEST for the
http://localhost:8080/manager/html site
and execute multiple times (in a while loop maybe with a sleep of 0.2):
curl localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
When i test it with:
while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null |egrep "(HTTP|Auth)"| grep 200; sleep 1; done
there are no errors but with
while :; do echo "ccccc"; curl localhost:8080/manager/html -v --digest -u
test:test 2>&1 > /dev/null |egrep "(HTTP|Auth)"| grep 200; sleep 0.5; done
there are sometimes errors and with a sleep of 0.1 there are many many
errors.
################################ PATCHES ##################################
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u conf/server.xml
output/build/conf/server.xml
--- conf/server.xml 2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/server.xml 2012-01-26 14:05:25.000000000 +0100
@@ -120,7 +120,8 @@
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
+ resourceName="UserDatabase"
+ digest="MD5" />
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
conf/tomcat-users.xml output/build/conf/tomcat-users.xml
--- conf/tomcat-users.xml 2011-11-28 11:22:44.000000000 +0100
+++ output/build/conf/tomcat-users.xml 2012-01-26 14:06:12.000000000 +0100
@@ -26,6 +26,8 @@
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
+ <role rolename="manager"/>
+ <user username="test" password="8d6db5856fdcd4d166914bfda9ffda86"
roles="manager"/>
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
=============================================
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ diff -u
webapps/manager/WEB-INF/web.xml output/build/webapps/manager/WEB-INF/web.xml
--- webapps/manager/WEB-INF/web.xml 2011-11-28 11:22:46.000000000 +0100
+++ output/build/webapps/manager/WEB-INF/web.xml 2012-01-26
14:06:01.000000000 +0100
@@ -248,8 +248,8 @@
<!-- Define the Login Configuration for this Application -->
<login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Tomcat Manager Application</realm-name>
+ <auth-method>DIGEST</auth-method>
+ <realm-name>Tomcat Manager Application TEST</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
@@ -284,6 +284,7 @@
<role-name>manager</role-name>
</security-role>
+<!--
<error-page>
<error-code>401</error-code>
<location>/401.jsp</location>
@@ -292,5 +293,5 @@
<error-code>403</error-code>
<location>/403.jsp</location>
</error-page>
-
+-->
</web-app>
=============================================
################################ HOW THE PASSWORD STUFF WAS GENERATED
##################################
$ ./bin/digest.sh -a MD5 "test:Tomcat Manager Application TEST:test"
test:Tomcat Manager Application TEST:test:8d6db5856fdcd4d166914bfda9ffda86
################################ EXAMPLE OUTPUT
##################################
############# First run ###########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
* Trying ::1... % Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g
> zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
* Ignoring the response-body
{ [data not shown]
100 954 100 954 0 0 310k 0 --:--:-- --:--:-- --:--:-- 465k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application
> TEST", nonce="1327583459726:bbe144d54df7614e8c6bcf0a42bc1a5c",
> uri="/manager/html", cnonce="Mjc3NDU2", nc=00000001, qop="auth",
> response="eb67cc859946b8c5ad37222be0cd8ab4",
> opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g
> zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* additional stuff not fine transfer.c:1036: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Set-Cookie: JSESSIONID=F04781AE79D6D5F4B8F4C989E1B53F74; Path=/manager;
HttpOnly
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Date: Thu, 26 Jan 2012 13:10:59 GMT
<
{ [data not shown]
1661 954 1661 15851 0 0 1802k 0 --:--:-- --:--:-- --:--:--
1802k
* Connection #0 to host localhost left intact
* Closing connection #0
############# Second run directly after the first one ##########
seffenberg@siteop-25:~/tomcat/apache-tomcat-6.0.35-src$ curl
localhost:8080/manager/html -v --digest -u test:test 2>&1 > /dev/null
* About to connect() to localhost port 8080 (#0)
* Trying ::1... % Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0connected
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g
> zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
* Ignoring the response-body
{ [data not shown]
100 954 100 954 0 0 416k 0 --:--:-- --:--:-- --:--:-- 931k
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:8080/manager/html'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Digest with user 'test'
> GET /manager/html HTTP/1.1
> Authorization: Digest username="test", realm="Tomcat Manager Application
> TEST", nonce="1327583498775:abca97e062fa1078996f30ecd5702b4b",
> uri="/manager/html", cnonce="Mjc3NDk1", nc=00000001, qop="auth",
> response="62e4ddfadda157b2f4460431ebaa4e20",
> opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
> User-Agent: curl/7.23.1 (x86_64-pc-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.0g
> zlib/1.2.3.4 libidn/1.23 libssh2/1.2.8 librtmp/2.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Tomcat Manager Application TEST", qop="auth",
nonce="1327583498776:6eccf77a482bee58433632f82e8ba695",
opaque="1E5BE98D669D910CFC2C975F9B1EDB30"
< Content-Type: text/html;charset=utf-8
< Content-Length: 954
< Date: Thu, 26 Jan 2012 13:11:38 GMT
<
{ [data not shown]
100 954 100 954 0 0 267k 0 --:--:-- --:--:-- --:--:-- 267k
* Connection #0 to host localhost left intact
* Closing connection #0
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
