Uploaded image for project: 'Apache Tomcat Maven Plugin'
  1. Apache Tomcat Maven Plugin
  2. MTOMCAT-151

Empty password prevents preemptive authentication headers from being sent

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0-beta-1
    • 2.0
    • commons-lib
    • None

    Description

      Default username for auth is admin, default password is "" ( empty string ).

      Problem is when password is empty string, TomcatManager.java does not send auth headers, so deploy and deploy-only goals fail with 401 after appearing to upload the war successfully.

      Seems to have been introduced by this.

      The line in question is 171 of which decides what to do about auth.

      if ( StringUtils.isNotEmpty( username ) && StringUtils.isNotEmpty( password ) )

      Workaround: set a non-empty password for the user accessing /manager/text.

      Expected: blank password to trigger preemptive auth headers.

      Proof that TomcatManager didn't send auth headers pre-emptively for empty password(default)
      > mvn -Pstaging tomcat7:deploy-only -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog -Dorg.apache.commons.logging.simplelog.showdatetime=true -Dorg.apache.commons.logging.simplelog.log.org.apache.http=DEBUG -Dorg.apache.commons.logging.simplelog.log.org.apache.http.wire=INFO
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building My WAR 1.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- tomcat7-maven-plugin:2.0-SNAPSHOT:deploy-only (default-cli) @ my-webapp ---
[INFO] Deploying war to http://172.16.2.16:18080/my-webapp  
2012/05/11 11:16:21:623 NDT [DEBUG] PoolingClientConnectionManager - Connection request: [route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 5]
2012/05/11 11:16:21:650 NDT [DEBUG] PoolingClientConnectionManager - Connection leased: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 5]
2012/05/11 11:16:21:655 NDT [DEBUG] DefaultClientConnectionOperator - Connecting to 172.16.2.16:18080
2012/05/11 11:16:21:761 NDT [DEBUG] RequestAddCookies - CookieSpec selected: best-match
2012/05/11 11:16:21:775 NDT [DEBUG] RequestAuthCache - Auth cache not set in the context
2012/05/11 11:16:21:776 NDT [DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
2012/05/11 11:16:21:777 NDT [DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
2012/05/11 11:16:21:777 NDT [DEBUG] DefaultHttpClient - Attempt 1 to execute request
2012/05/11 11:16:21:777 NDT [DEBUG] DefaultClientConnection - Sending request: PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
2012/05/11 11:16:21:779 NDT [DEBUG] headers - >> PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> User-Agent: Apache Tomcat Maven Plugin/2.0-SNAPSHOT
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Content-Length: 13269693
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Host: 172.16.2.16:18080
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Connection: Keep-Alive
Uploading: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true
Uploaded: http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true (12959 KB at 215.5 KB/sec)

2012/05/11 11:17:21:919 NDT [DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401 Unauthorized
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << HTTP/1.1 401 Unauthorized
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Cache-Control: private
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Expires: Wed, 31 Dec 1969 18:00:00 CST
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << WWW-Authenticate: Basic realm="Tomcat Manager Application"
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Set-Cookie: JSESSIONID=6AEFCEADD39F891A0CFED0AD73EE512F; Path=/manager/; HttpOnly
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Content-Type: text/html;charset=ISO-8859-1
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Transfer-Encoding: chunked
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Date: Fri, 11 May 2012 13:46:21 GMT
2012/05/11 11:17:21:927 NDT [DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: JSESSIONID][value: 6AEFCEADD39F891A0CFED0AD73EE512F][domain: 172.16.2.16][path: /manager/][expiry: null]". 
2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - Connection can be kept alive indefinitely
2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - 172.16.2.16:18080 requested authentication
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference: [negotiate, NTLM, Digest, Basic]
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication scheme not available
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection [id: 0][route: {}->http://172.16.2.16:18080] can be kept alive indefinitely
2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection released: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 5]
[INFO] tomcatManager status code:401, ReasonPhrase:Unauthorized
[INFO] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
[INFO] <html>
[INFO]  <head>
[INFO]   <title>401 Unauthorized</title>
[INFO]   <style type="text/css">
[INFO]     <!--
[INFO]     BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
[INFO]     H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
[INFO]     PRE, TT {border: 1px dotted #525D76}
[INFO]     A {color : black;}A.name {color : black;}
[INFO]     -->
[INFO]   </style>
[INFO]  </head>
[INFO]  <body>
[INFO]    <h1>401 Unauthorized</h1>
[INFO]    <p>
[INFO]     You are not authorized to view this page. If you have not changed
[INFO]     any configuration files, please examine the file
[INFO]     <tt>conf/tomcat-users.xml</tt> in your installation. That
[INFO]     file must contain the credentials to let you use this webapp.
[INFO]    </p>
[INFO]    <p>
[INFO]     For example, to add the <tt>manager-gui</tt> role to a user named
[INFO]     <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
[INFO]     config file listed above.
[INFO]    </p>
[INFO] <pre>
[INFO] &lt;role rolename="manager-gui"/&gt;
[INFO] &lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
[INFO] </pre>
[INFO]    <p>
[INFO]     Note that for Tomcat 7 onwards, the roles required to use the manager
[INFO]     application were changed from the single <tt>manager</tt> role to the
[INFO]     following four roles. You will need to assign the role(s) required for
[INFO]     the functionality you wish to access.
[INFO]    </p>
[INFO]     <ul>
[INFO]       <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
[INFO]           pages</li>
[INFO]       <li><tt>manager-script</tt> - allows access to the text interface and the
[INFO]           status pages</li>
[INFO]       <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
[INFO]           pages</li>
[INFO]       <li><tt>manager-status</tt> - allows access to the status pages only</li>
[INFO]     </ul>
[INFO]    <p>
[INFO]     The HTML interface is protected against CSRF but the text and JMX interfaces
[INFO]     are not. To maintain the CSRF protection:
[INFO]    </p>
[INFO]    <ul>
[INFO]     <li>Users with the <tt>manager-gui</tt> role should not be granted either
[INFO]         the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
[INFO]     <li>If the text or jmx interfaces are accessed through a browser (e.g. for
[INFO]         testing since these interfaces are intended for tools not humans) then
[INFO]         the browser must be closed afterwards to terminate the session.</li>
[INFO]    </ul>
[INFO]    <p>
[INFO]     For more information - please see the
[INFO]     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
[INFO]    </p>
[INFO]  </body>
[INFO] </html>
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:02.630s
[INFO] Finished at: Fri May 11 11:17:21 NDT 2012
[INFO] Final Memory: 11M/265M
[INFO] ------------------------------------------------------------------------

      Attachments

        Activity

          People

            olamy Olivier Lamy
            peterlynch Peter lynch
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: