Apache Tomcat Maven Plugin
  1. Apache Tomcat Maven Plugin
  2. MTOMCAT-151

Empty password prevents preemptive authentication headers from being sent

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0-beta-1
    • Fix Version/s: 2.0
    • Component/s: commons-lib
    • Labels:
      None

      Description

      Default username for auth is admin, default password is "" ( empty string ).

      Problem is when password is empty string, TomcatManager.java does not send auth headers, so deploy and deploy-only goals fail with 401 after appearing to upload the war successfully.

      Seems to have been introduced by this.

      The line in question is 171 of which decides what to do about auth.

      if ( StringUtils.isNotEmpty( username ) && StringUtils.isNotEmpty( password ) )
      

      Workaround: set a non-empty password for the user accessing /manager/text.

      Expected: blank password to trigger preemptive auth headers.

      Proof that TomcatManager didn't send auth headers pre-emptively for empty password(default)
      > mvn -Pstaging tomcat7:deploy-only -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog -Dorg.apache.commons.logging.simplelog.showdatetime=true -Dorg.apache.commons.logging.simplelog.log.org.apache.http=DEBUG -Dorg.apache.commons.logging.simplelog.log.org.apache.http.wire=INFO
      [INFO] Scanning for projects...
      [INFO]                                                                         
      [INFO] ------------------------------------------------------------------------
      [INFO] Building My WAR 1.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] 
      [INFO] --- tomcat7-maven-plugin:2.0-SNAPSHOT:deploy-only (default-cli) @ my-webapp ---
      [INFO] Deploying war to http://172.16.2.16:18080/my-webapp  
      2012/05/11 11:16:21:623 NDT [DEBUG] PoolingClientConnectionManager - Connection request: [route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 5]
      2012/05/11 11:16:21:650 NDT [DEBUG] PoolingClientConnectionManager - Connection leased: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 5]
      2012/05/11 11:16:21:655 NDT [DEBUG] DefaultClientConnectionOperator - Connecting to 172.16.2.16:18080
      2012/05/11 11:16:21:761 NDT [DEBUG] RequestAddCookies - CookieSpec selected: best-match
      2012/05/11 11:16:21:775 NDT [DEBUG] RequestAuthCache - Auth cache not set in the context
      2012/05/11 11:16:21:776 NDT [DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
      2012/05/11 11:16:21:777 NDT [DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
      2012/05/11 11:16:21:777 NDT [DEBUG] DefaultHttpClient - Attempt 1 to execute request
      2012/05/11 11:16:21:777 NDT [DEBUG] DefaultClientConnection - Sending request: PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
      2012/05/11 11:16:21:779 NDT [DEBUG] headers - >> PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
      2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> User-Agent: Apache Tomcat Maven Plugin/2.0-SNAPSHOT
      2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Content-Length: 13269693
      2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Host: 172.16.2.16:18080
      2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Connection: Keep-Alive
      Uploading: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true
      Uploaded: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true (12959 KB at 215.5 KB/sec)
      
      2012/05/11 11:17:21:919 NDT [DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401 Unauthorized
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << HTTP/1.1 401 Unauthorized
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Server: Apache-Coyote/1.1
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Cache-Control: private
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Expires: Wed, 31 Dec 1969 18:00:00 CST
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << WWW-Authenticate: Basic realm="Tomcat Manager Application"
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Set-Cookie: JSESSIONID=6AEFCEADD39F891A0CFED0AD73EE512F; Path=/manager/; HttpOnly
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Content-Type: text/html;charset=ISO-8859-1
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Transfer-Encoding: chunked
      2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Date: Fri, 11 May 2012 13:46:21 GMT
      2012/05/11 11:17:21:927 NDT [DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: JSESSIONID][value: 6AEFCEADD39F891A0CFED0AD73EE512F][domain: 172.16.2.16][path: /manager/][expiry: null]". 
      2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - Connection can be kept alive indefinitely
      2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - 172.16.2.16:18080 requested authentication
      2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference: [negotiate, NTLM, Digest, Basic]
      2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication scheme not available
      2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
      2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
      2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection [id: 0][route: {}->http://172.16.2.16:18080] can be kept alive indefinitely
      2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection released: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 5]
      [INFO] tomcatManager status code:401, ReasonPhrase:Unauthorized
      [INFO] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
      [INFO] <html>
      [INFO]  <head>
      [INFO]   <title>401 Unauthorized</title>
      [INFO]   <style type="text/css">
      [INFO]     <!--
      [INFO]     BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
      [INFO]     H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
      [INFO]     PRE, TT {border: 1px dotted #525D76}
      [INFO]     A {color : black;}A.name {color : black;}
      [INFO]     -->
      [INFO]   </style>
      [INFO]  </head>
      [INFO]  <body>
      [INFO]    <h1>401 Unauthorized</h1>
      [INFO]    <p>
      [INFO]     You are not authorized to view this page. If you have not changed
      [INFO]     any configuration files, please examine the file
      [INFO]     <tt>conf/tomcat-users.xml</tt> in your installation. That
      [INFO]     file must contain the credentials to let you use this webapp.
      [INFO]    </p>
      [INFO]    <p>
      [INFO]     For example, to add the <tt>manager-gui</tt> role to a user named
      [INFO]     <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
      [INFO]     config file listed above.
      [INFO]    </p>
      [INFO] <pre>
      [INFO] &lt;role rolename="manager-gui"/&gt;
      [INFO] &lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
      [INFO] </pre>
      [INFO]    <p>
      [INFO]     Note that for Tomcat 7 onwards, the roles required to use the manager
      [INFO]     application were changed from the single <tt>manager</tt> role to the
      [INFO]     following four roles. You will need to assign the role(s) required for
      [INFO]     the functionality you wish to access.
      [INFO]    </p>
      [INFO]     <ul>
      [INFO]       <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
      [INFO]           pages</li>
      [INFO]       <li><tt>manager-script</tt> - allows access to the text interface and the
      [INFO]           status pages</li>
      [INFO]       <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
      [INFO]           pages</li>
      [INFO]       <li><tt>manager-status</tt> - allows access to the status pages only</li>
      [INFO]     </ul>
      [INFO]    <p>
      [INFO]     The HTML interface is protected against CSRF but the text and JMX interfaces
      [INFO]     are not. To maintain the CSRF protection:
      [INFO]    </p>
      [INFO]    <ul>
      [INFO]     <li>Users with the <tt>manager-gui</tt> role should not be granted either
      [INFO]         the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
      [INFO]     <li>If the text or jmx interfaces are accessed through a browser (e.g. for
      [INFO]         testing since these interfaces are intended for tools not humans) then
      [INFO]         the browser must be closed afterwards to terminate the session.</li>
      [INFO]    </ul>
      [INFO]    <p>
      [INFO]     For more information - please see the
      [INFO]     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
      [INFO]    </p>
      [INFO]  </body>
      [INFO] </html>
      [INFO] ------------------------------------------------------------------------
      [INFO] BUILD SUCCESS
      [INFO] ------------------------------------------------------------------------
      [INFO] Total time: 1:02.630s
      [INFO] Finished at: Fri May 11 11:17:21 NDT 2012
      [INFO] Final Memory: 11M/265M
      [INFO] ------------------------------------------------------------------------
      
      

        Activity

        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        Fixed.
        Thanks for report (even if I'm not sure empty password is a good idea ).

        Show
        Olivier Lamy (*$^¨%`£) added a comment - Fixed. Thanks for report (even if I'm not sure empty password is a good idea ).
        Hide
        Hudson added a comment -

        Integrated in TomcatMavenPlugin-mvn3.x #149 (See https://builds.apache.org/job/TomcatMavenPlugin-mvn3.x/149/)
        MTOMCAT-151 Empty password prevents preemptive authentication headers from being sent (Revision 1337356)

        Result = SUCCESS
        olamy : http://svn.apache.org/viewvc/?view=rev&rev=1337356
        Files :

        • /tomcat/maven-plugin/trunk/common-tomcat-maven-plugin/src/main/java/org/apache/tomcat/maven/common/deployer/TomcatManager.java
        Show
        Hudson added a comment - Integrated in TomcatMavenPlugin-mvn3.x #149 (See https://builds.apache.org/job/TomcatMavenPlugin-mvn3.x/149/ ) MTOMCAT-151 Empty password prevents preemptive authentication headers from being sent (Revision 1337356) Result = SUCCESS olamy : http://svn.apache.org/viewvc/?view=rev&rev=1337356 Files : /tomcat/maven-plugin/trunk/common-tomcat-maven-plugin/src/main/java/org/apache/tomcat/maven/common/deployer/TomcatManager.java

          People

          • Assignee:
            Olivier Lamy (*$^¨%`£)
            Reporter:
            Peter lynch
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development