Tomcat – Digest Authentication

Digest authentication is one of authentication type available on web server. This is very similar with Basic authentication and, the main difference, is using a encoded password. This password is stored into Realm implementation and this allow you to store encoded text password on your web server.

In this article I’ll show you the digest authentication implementation on tomcat 7.

In the previous article I described how use basic authentication on glassfish server. It works well and, with the use of SSL layer, you can guarantee a good security level.

In the above scenario you’ve to put your password in clear on your Realm implementation (the default implementation used on tomcat is locate in WEB-INF/web.xml file). In default configuration, the password are stored, in clear text, inside tomcat-user.xml file.

If you’d like to avoid writing a clear text password inside a file under a web server, you can use a ‘digest’ password keeping the same basic’s authentication behaviour.

Let’s go to see how it works.

First, generate a digest password from your username, realm domain and password:

C:\apache-tomcat-7.0.23\bin\digest -a SHA role1:Digest:tomcat
role1:Digest:tomcat:7ae6875fc8dae751b0dae641da40239596427566

Next, put it inside a conf/tomcat-users.xml file.

<user name="role1"  password="7ae6875fc8dae751b0dae641da40239596427566" roles="role1"  />

Now it’s time to configure the web.xml inside the web app.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
  <display-name>OrderSecurityDigest</display-name>
  <security-constraint>
        <web-resource-collection>
            <web-resource-name>MySecureResource</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>role1</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
         <auth-method>DIGEST</auth-method>
         <realm-name>Digest</realm-name>
    </login-config>
 
</web-app>

Browsing the url http://localhost:8080/OrderSecurityDigest you’ll see the authentication popup. Put in your correct password (in clear text) and you’ll be authenticated into the web application.

Another interesting thing is the communication between the client and the server:

Authorization: Digest username=“role1”, realm=“Digest”, nonce=“1341216860988:9e5c9ca69c2da31090dfa800d4903f1f”, uri=“/OrderSecurityDigest/”, cnonce=“779639542ec4763a54d4ffc720610778”, nc=00000001, response=“7ab0267c538298c72eeb5b9a2070db33”, qop=“auth”, opaque=“FFEAFA67F1EA622D2C11A7BB5E487ACE”
As you can see, you aren’t able to read a clear password from this called. Not bad.

More references are available at tomcat official web site: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested_Passwords

UPDATE TOMCAT 7

I’ve noticed that this example don’t work on tomcat 7. That’s because, from the official documentation “If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different and the digest must use the MD5 algorithm‘. So, the steps are:

Activate the MemoryRealm into the server.xml

<Realm className="org.apache.catalina.realm.MemoryRealm" digest="md5" />

Defined the role and the user into the tomcat-user.xml

<role rolename="manager-gui"/>
<user username="sysadmin" password="540a9c1784e90890e640dc4d296b4c10" roles="manager,admin"/>

And last my web.xml

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    id="WebApp_ID" version="3.0">
    <display-name>OrderSecurityDigest</display-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>MySecureResource</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
    <role-name>admin</role-name>
  </security-role>
  <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
 
</web-app>

My password generation:

digest -a md5 sysadmin:myrealm:mypassword
Popular