Peter lynch created MTOMCAT-151:
-----------------------------------
Summary: Empty password prevents preemptive authentication headers
from being sent
Key: MTOMCAT-151
URL: https://issues.apache.org/jira/browse/MTOMCAT-151
Project: Apache Tomcat Maven Plugin
Issue Type: Bug
Components: commons-lib
Affects Versions: 2.0-beta-1, 2.0
Reporter: Peter lynch
Assignee: Olivier Lamy (*$^¨%`£)
Default username for auth is *admin*, default password is "" ( empty string ).
Problem is when password is empty string, TomcatManager.java does not send auth
headers, so deploy and deploy-only goals fail with 401 after appearing to
upload the war successfully.
Seems to have been introduced by
[this|http://svn.apache.org/viewvc/tomcat/maven-plugin/trunk/common-tomcat-maven-plugin/src/main/java/org/apache/tomcat/maven/common/deployer/TomcatManager.java?r1=1178619&r2=1212685&pathrev=1301824&diff_format=h].
The line in question is 171 of which decides what to do about auth.
{noformat}
if ( StringUtils.isNotEmpty( username ) && StringUtils.isNotEmpty( password ) )
{noformat}
Workaround: set a non-empty password for the user accessing /manager/text.
Expected: blank password to trigger preemptive auth headers.
{noformat:title=Proof that TomcatManager didn't send auth headers pre-emptively
for empty password(default)}
> mvn -Pstaging tomcat7:deploy-only
> -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog
> -Dorg.apache.commons.logging.simplelog.showdatetime=true
> -Dorg.apache.commons.logging.simplelog.log.org.apache.http=DEBUG
> -Dorg.apache.commons.logging.simplelog.log.org.apache.http.wire=INFO
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building My WAR 1.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- tomcat7-maven-plugin:2.0-SNAPSHOT:deploy-only (default-cli) @
my-webapp ---
[INFO] Deploying war to http://172.16.2.16:18080/my-webapp
2012/05/11 11:16:21:623 NDT [DEBUG] PoolingClientConnectionManager - Connection
request: [route: {}->http://172.16.2.16:18080][total kept alive: 0; route
allocated: 0 of 2; total allocated: 0 of 5]
2012/05/11 11:16:21:650 NDT [DEBUG] PoolingClientConnectionManager - Connection
leased: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 0; route
allocated: 1 of 2; total allocated: 1 of 5]
2012/05/11 11:16:21:655 NDT [DEBUG] DefaultClientConnectionOperator -
Connecting to 172.16.2.16:18080
2012/05/11 11:16:21:761 NDT [DEBUG] RequestAddCookies - CookieSpec selected:
best-match
2012/05/11 11:16:21:775 NDT [DEBUG] RequestAuthCache - Auth cache not set in
the context
2012/05/11 11:16:21:776 NDT [DEBUG] RequestTargetAuthentication - Target auth
state: UNCHALLENGED
2012/05/11 11:16:21:777 NDT [DEBUG] RequestProxyAuthentication - Proxy auth
state: UNCHALLENGED
2012/05/11 11:16:21:777 NDT [DEBUG] DefaultHttpClient - Attempt 1 to execute
request
2012/05/11 11:16:21:777 NDT [DEBUG] DefaultClientConnection - Sending request:
PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
2012/05/11 11:16:21:779 NDT [DEBUG] headers - >> PUT
/manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> User-Agent: Apache Tomcat
Maven Plugin/2.0-SNAPSHOT
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Content-Length: 13269693
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Host: 172.16.2.16:18080
2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Connection: Keep-Alive
Uploading:
http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true
Uploaded:
http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true
(12959 KB at 215.5 KB/sec)
2012/05/11 11:17:21:919 NDT [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.1 401 Unauthorized
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << HTTP/1.1 401 Unauthorized
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Cache-Control: private
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Expires: Wed, 31 Dec 1969
18:00:00 CST
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << WWW-Authenticate: Basic
realm="Tomcat Manager Application"
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Set-Cookie:
JSESSIONID=6AEFCEADD39F891A0CFED0AD73EE512F; Path=/manager/; HttpOnly
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Content-Type:
text/html;charset=ISO-8859-1
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Transfer-Encoding: chunked
2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Date: Fri, 11 May 2012
13:46:21 GMT
2012/05/11 11:17:21:927 NDT [DEBUG] ResponseProcessCookies - Cookie accepted:
"[version: 0][name: JSESSIONID][value:
6AEFCEADD39F891A0CFED0AD73EE512F][domain: 172.16.2.16][path: /manager/][expiry:
null]".
2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - Connection can be kept
alive indefinitely
2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - 172.16.2.16:18080
requested authentication
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy -
Authentication schemes in the order of preference: [negotiate, NTLM, Digest,
Basic]
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge
for negotiate authentication scheme not available
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge
for NTLM authentication scheme not available
2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge
for Digest authentication scheme not available
2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection
[id: 0][route: {}->http://172.16.2.16:18080] can be kept alive indefinitely
2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - Connection
released: [id: 0][route: {}->http://172.16.2.16:18080][total kept alive: 1;
route allocated: 1 of 2; total allocated: 1 of 5]
[INFO] tomcatManager status code:401, ReasonPhrase:Unauthorized
[INFO] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
[INFO] <html>
[INFO] <head>
[INFO] <title>401 Unauthorized</title>
[INFO] <style type="text/css">
[INFO] <!--
[INFO] BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
[INFO] H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
[INFO] PRE, TT {border: 1px dotted #525D76}
[INFO] A {color : black;}A.name {color : black;}
[INFO] -->
[INFO] </style>
[INFO] </head>
[INFO] <body>
[INFO] <h1>401 Unauthorized</h1>
[INFO] <p>
[INFO] You are not authorized to view this page. If you have not changed
[INFO] any configuration files, please examine the file
[INFO] <tt>conf/tomcat-users.xml</tt> in your installation. That
[INFO] file must contain the credentials to let you use this webapp.
[INFO] </p>
[INFO] <p>
[INFO] For example, to add the <tt>manager-gui</tt> role to a user named
[INFO] <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the
following to the
[INFO] config file listed above.
[INFO] </p>
[INFO] <pre>
[INFO] <role rolename="manager-gui"/>
[INFO] <user username="tomcat" password="s3cret" roles="manager-gui"/>
[INFO] </pre>
[INFO] <p>
[INFO] Note that for Tomcat 7 onwards, the roles required to use the manager
[INFO] application were changed from the single <tt>manager</tt> role to the
[INFO] following four roles. You will need to assign the role(s) required
for
[INFO] the functionality you wish to access.
[INFO] </p>
[INFO] <ul>
[INFO] <li><tt>manager-gui</tt> - allows access to the HTML GUI and the
status
[INFO] pages</li>
[INFO] <li><tt>manager-script</tt> - allows access to the text interface
and the
[INFO] status pages</li>
[INFO] <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the
status
[INFO] pages</li>
[INFO] <li><tt>manager-status</tt> - allows access to the status pages
only</li>
[INFO] </ul>
[INFO] <p>
[INFO] The HTML interface is protected against CSRF but the text and JMX
interfaces
[INFO] are not. To maintain the CSRF protection:
[INFO] </p>
[INFO] <ul>
[INFO] <li>Users with the <tt>manager-gui</tt> role should not be granted
either
[INFO] the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
[INFO] <li>If the text or jmx interfaces are accessed through a browser
(e.g. for
[INFO] testing since these interfaces are intended for tools not
humans) then
[INFO] the browser must be closed afterwards to terminate the
session.</li>
[INFO] </ul>
[INFO] <p>
[INFO] For more information - please see the
[INFO] <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
[INFO] </p>
[INFO] </body>
[INFO] </html>
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:02.630s
[INFO] Finished at: Fri May 11 11:17:21 NDT 2012
[INFO] Final Memory: 11M/265M
[INFO] ------------------------------------------------------------------------
{noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
