Bug 52983 - DIGEST auth broken on 6.0.x manager app because of redundant WWW-Authenticate header in 401.jsp
Summary: DIGEST auth broken on 6.0.x manager app because of redundant WWW-Authenticate...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Manager application (show other bugs)
Version: 6.0.35
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-26 04:08 UTC by Neale Rudd
Modified: 2012-05-28 22:33 UTC (History)
0 users



Attachments
patch against 6.0.x trunk removing problematic lines from 401.jsp (589 bytes, patch)
2012-03-26 04:08 UTC, Neale Rudd
Details | Diff
patch against 6.0.x trunk eliminating redundant header after checking if it already exists (652 bytes, patch)
2012-03-26 04:09 UTC, Neale Rudd
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neale Rudd 2012-03-26 04:08:42 UTC
Created attachment 28505 [details]
patch against 6.0.x trunk removing problematic lines from 401.jsp

The Manager app in 6.0.35 sets WWW-Authenticate in 401.jsp.

However, this seems to be already set elsewhere, and as a result of setting it again in 401.jsp, DIGEST mode can not be used for the manager app.

From what I can see, this is fixed in 7.0.x but doesn't seem to have been backported to 6.0.x yet.

The result is that DIGEST for Tomcat Manager can't be used on Tomcat 6 which is still very popular.

To demonstrate, I changed 401.jsp to set the header name to WWW-AuthenticateREDUNDANT and here is the result:

For BASIC:

HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Set-Cookie: JSESSIONID=****removed****; Path=/manager
WWW-AuthenticateREDUNDANT: Basic realm="Tomcat Manager Application"
Content-Type: text/html
Transfer-Encoding: chunked
Vary: Accept-Encoding
Date: Mon, 26 Mar 2012 03:39:09 GMT
Server: Coyote

For DIGEST:

HTTP/1.1 401 Unauthorized
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Digest realm="Tomcat Manager Application", qop="auth", nonce="****removed****", opaque="****removed****"
Set-Cookie: JSESSIONID=****removed****; Path=/manager
WWW-AuthenticateREDUNDANT: Basic realm="Tomcat Manager Application"
Content-Type: text/html
Transfer-Encoding: chunked
Vary: Accept-Encoding
Date: Mon, 26 Mar 2012 03:44:07 GMT
Server: Coyote

You can clearly see the REDUNDANT header being set here by 401.jsp.

To fix on my local versions, I simply removed the line in 401.jsp (patch1.txt).

However, this deserves a cross-check by someone else before being committed in case there's some situation where it would remove authentication altogether.

An alternative solution for this version is to check if the header is set, and only add it where it's not already present (patch2.txt):

  if(!response.containsHeader("WWW-Authenticate"))
    response.setHeader("WWW-Authenticater", "Basic realm=\"Tomcat Manager Application\"");

... but I'll leave that up to you.

Best Regards,
Neale
Comment 1 Neale Rudd 2012-03-26 04:09:36 UTC
Created attachment 28506 [details]
patch against 6.0.x trunk eliminating redundant header after checking if it already exists
Comment 2 Mark Thomas 2012-03-29 14:16:08 UTC
I've proposed the fix that was applied to trunk and 7.0.x for 6.0.x.
Comment 3 Konstantin Kolinko 2012-05-28 22:33:00 UTC
Fixed in 6.0 by r1343369 and r1343405 and will be in 6.0.36

In 7.0 it is already fixed by r1084103 which is included in 7.0.12.