Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0-beta-1
-
None
Description
Default username for auth is admin, default password is "" ( empty string ).
Problem is when password is empty string, TomcatManager.java does not send auth headers, so deploy and deploy-only goals fail with 401 after appearing to upload the war successfully.
Seems to have been introduced by this.
The line in question is 171 of which decides what to do about auth.
if ( StringUtils.isNotEmpty( username ) && StringUtils.isNotEmpty( password ) )
Workaround: set a non-empty password for the user accessing /manager/text.
Expected: blank password to trigger preemptive auth headers.
Proof that TomcatManager didn't send auth headers pre-emptively for empty password(default)
> mvn -Pstaging tomcat7:deploy-only -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog -Dorg.apache.commons.logging.simplelog.showdatetime=true -Dorg.apache.commons.logging.simplelog.log.org.apache.http=DEBUG -Dorg.apache.commons.logging.simplelog.log.org.apache.http.wire=INFO [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building My WAR 1.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- tomcat7-maven-plugin:2.0-SNAPSHOT:deploy-only (default-cli) @ my-webapp --- [INFO] Deploying war to http://172.16.2.16:18080/my-webapp 2012/05/11 11:16:21:623 NDT [DEBUG] PoolingClientConnectionManager - Connection request: [route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 5] 2012/05/11 11:16:21:650 NDT [DEBUG] PoolingClientConnectionManager - Connection leased: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 5] 2012/05/11 11:16:21:655 NDT [DEBUG] DefaultClientConnectionOperator - Connecting to 172.16.2.16:18080 2012/05/11 11:16:21:761 NDT [DEBUG] RequestAddCookies - CookieSpec selected: best-match 2012/05/11 11:16:21:775 NDT [DEBUG] RequestAuthCache - Auth cache not set in the context 2012/05/11 11:16:21:776 NDT [DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED 2012/05/11 11:16:21:777 NDT [DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED 2012/05/11 11:16:21:777 NDT [DEBUG] DefaultHttpClient - Attempt 1 to execute request 2012/05/11 11:16:21:777 NDT [DEBUG] DefaultClientConnection - Sending request: PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1 2012/05/11 11:16:21:779 NDT [DEBUG] headers - >> PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> User-Agent: Apache Tomcat Maven Plugin/2.0-SNAPSHOT 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Content-Length: 13269693 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Host: 172.16.2.16:18080 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Connection: Keep-Alive Uploading: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true Uploaded: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true (12959 KB at 215.5 KB/sec) 2012/05/11 11:17:21:919 NDT [DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401 Unauthorized 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << HTTP/1.1 401 Unauthorized 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Server: Apache-Coyote/1.1 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Cache-Control: private 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Expires: Wed, 31 Dec 1969 18:00:00 CST 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << WWW-Authenticate: Basic realm="Tomcat Manager Application" 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Set-Cookie: JSESSIONID=6AEFCEADD39F891A0CFED0AD73EE512F; Path=/manager/; HttpOnly 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Content-Type: text/html;charset=ISO-8859-1 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Transfer-Encoding: chunked 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Date: Fri, 11 May 2012 13:46:21 GMT 2012/05/11 11:17:21:927 NDT [DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: JSESSIONID][value: 6AEFCEADD39F891A0CFED0AD73EE512F][domain: 172.16.2.16][path: /manager/][expiry: null]". 2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - Connection can be kept alive indefinitely 2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - 172.16.2.16:18080 requested authentication 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference: [negotiate, NTLM, Digest, Basic] 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication scheme not available 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available 2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection [id: 0][route: {}->http://172.16.2.16:18080] can be kept alive indefinitely 2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection released: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 5] [INFO] tomcatManager status code:401, ReasonPhrase:Unauthorized [INFO] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> [INFO] <html> [INFO] <head> [INFO] <title>401 Unauthorized</title> [INFO] <style type="text/css"> [INFO] <!-- [INFO] BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;} [INFO] H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} [INFO] PRE, TT {border: 1px dotted #525D76} [INFO] A {color : black;}A.name {color : black;} [INFO] --> [INFO] </style> [INFO] </head> [INFO] <body> [INFO] <h1>401 Unauthorized</h1> [INFO] <p> [INFO] You are not authorized to view this page. If you have not changed [INFO] any configuration files, please examine the file [INFO] <tt>conf/tomcat-users.xml</tt> in your installation. That [INFO] file must contain the credentials to let you use this webapp. [INFO] </p> [INFO] <p> [INFO] For example, to add the <tt>manager-gui</tt> role to a user named [INFO] <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the [INFO] config file listed above. [INFO] </p> [INFO] <pre> [INFO] <role rolename="manager-gui"/> [INFO] <user username="tomcat" password="s3cret" roles="manager-gui"/> [INFO] </pre> [INFO] <p> [INFO] Note that for Tomcat 7 onwards, the roles required to use the manager [INFO] application were changed from the single <tt>manager</tt> role to the [INFO] following four roles. You will need to assign the role(s) required for [INFO] the functionality you wish to access. [INFO] </p> [INFO] <ul> [INFO] <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status [INFO] pages</li> [INFO] <li><tt>manager-script</tt> - allows access to the text interface and the [INFO] status pages</li> [INFO] <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status [INFO] pages</li> [INFO] <li><tt>manager-status</tt> - allows access to the status pages only</li> [INFO] </ul> [INFO] <p> [INFO] The HTML interface is protected against CSRF but the text and JMX interfaces [INFO] are not. To maintain the CSRF protection: [INFO] </p> [INFO] <ul> [INFO] <li>Users with the <tt>manager-gui</tt> role should not be granted either [INFO] the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li> [INFO] <li>If the text or jmx interfaces are accessed through a browser (e.g. for [INFO] testing since these interfaces are intended for tools not humans) then [INFO] the browser must be closed afterwards to terminate the session.</li> [INFO] </ul> [INFO] <p> [INFO] For more information - please see the [INFO] <a href="/docs/manager-howto.html">Manager App HOW-TO</a>. [INFO] </p> [INFO] </body> [INFO] </html> [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1:02.630s [INFO] Finished at: Fri May 11 11:17:21 NDT 2012 [INFO] Final Memory: 11M/265M [INFO] ------------------------------------------------------------------------