[ 
https://issues.apache.org/jira/browse/MTOMCAT-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]
Olivier Lamy (*$^¨%`£) closed MTOMCAT-151.
------------------------------------------

    Resolution: Fixed

Fixed.
Thanks for report (even if I'm not sure empty password is a good idea :-) ).

                
> Empty password prevents preemptive authentication headers from being sent
> -------------------------------------------------------------------------
>
>                 Key: MTOMCAT-151
>                 URL: https://issues.apache.org/jira/browse/MTOMCAT-151
>             Project: Apache Tomcat Maven Plugin
>          Issue Type: Bug
>          Components: commons-lib
>    Affects Versions: 2.0-beta-1
>            Reporter: Peter lynch
>            Assignee: Olivier Lamy (*$^¨%`£)
>             Fix For: 2.0
>
>
> Default username for auth is *admin*, default password is "" ( empty string ).
> Problem is when password is empty string, TomcatManager.java does not send 
> auth headers, so deploy and deploy-only goals fail with 401 after appearing 
> to upload the war successfully.
> Seems to have been introduced by 
> [this|http://svn.apache.org/viewvc/tomcat/maven-plugin/trunk/common-tomcat-maven-plugin/src/main/java/org/apache/tomcat/maven/common/deployer/TomcatManager.java?r1=1178619&r2=1212685&pathrev=1301824&diff_format=h].
> The line in question is 171 of which decides what to do about auth.
> {noformat}
> if ( StringUtils.isNotEmpty( username ) && StringUtils.isNotEmpty( password ) 
> )
> {noformat}
> Workaround: set a non-empty password for the user accessing /manager/text.
> Expected: blank password to trigger preemptive auth headers.
> {noformat:title=Proof that TomcatManager didn't send auth headers 
> pre-emptively for empty password(default)}
> > mvn -Pstaging tomcat7:deploy-only 
> > -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog 
> > -Dorg.apache.commons.logging.simplelog.showdatetime=true 
> > -Dorg.apache.commons.logging.simplelog.log.org.apache.http=DEBUG 
> > -Dorg.apache.commons.logging.simplelog.log.org.apache.http.wire=INFO
> [INFO] Scanning for projects...
> [INFO]                                                                        
>  
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Building My WAR 1.0-SNAPSHOT
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] 
> [INFO] --- tomcat7-maven-plugin:2.0-SNAPSHOT:deploy-only (default-cli) @ 
> my-webapp ---
> [INFO] Deploying war to http://172.16.2.16:18080/my-webapp  
> 2012/05/11 11:16:21:623 NDT [DEBUG] PoolingClientConnectionManager - 
> Connection request: [route: {}->http://172.16.2.16:18080][total kept alive: 
> 0; route allocated: 0 of 2; total allocated: 0 of 5]
> 2012/05/11 11:16:21:650 NDT [DEBUG] PoolingClientConnectionManager - 
> Connection leased: [id: 0][route: {}->http://172.16.2.16:18080][total kept 
> alive: 0; route allocated: 1 of 2; total allocated: 1 of 5]
> 2012/05/11 11:16:21:655 NDT [DEBUG] DefaultClientConnectionOperator - 
> Connecting to 172.16.2.16:18080
> 2012/05/11 11:16:21:761 NDT [DEBUG] RequestAddCookies - CookieSpec selected: 
> best-match
> 2012/05/11 11:16:21:775 NDT [DEBUG] RequestAuthCache - Auth cache not set in 
> the context
> 2012/05/11 11:16:21:776 NDT [DEBUG] RequestTargetAuthentication - Target auth 
> state: UNCHALLENGED
> 2012/05/11 11:16:21:777 NDT [DEBUG] RequestProxyAuthentication - Proxy auth 
> state: UNCHALLENGED
> 2012/05/11 11:16:21:777 NDT [DEBUG] DefaultHttpClient - Attempt 1 to execute 
> request
> 2012/05/11 11:16:21:777 NDT [DEBUG] DefaultClientConnection - Sending 
> request: PUT /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
> 2012/05/11 11:16:21:779 NDT [DEBUG] headers - >> PUT 
> /manager/text/deploy?path=%2Fmy-webapp&update=true HTTP/1.1
> 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> User-Agent: Apache Tomcat 
> Maven Plugin/2.0-SNAPSHOT
> 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Content-Length: 13269693
> 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Host: 172.16.2.16:18080
> 2012/05/11 11:16:21:780 NDT [DEBUG] headers - >> Connection: Keep-Alive
> Uploading: 
> http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true
> Uploaded: 
> http://172.16.2.16:18080/manager/text/deploy?path=%2Fmy-webapp&update=true 
> (12959 KB at 215.5 KB/sec)
> 2012/05/11 11:17:21:919 NDT [DEBUG] DefaultClientConnection - Receiving 
> response: HTTP/1.1 401 Unauthorized
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << HTTP/1.1 401 Unauthorized
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Server: Apache-Coyote/1.1
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Cache-Control: private
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Expires: Wed, 31 Dec 1969 
> 18:00:00 CST
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << WWW-Authenticate: Basic 
> realm="Tomcat Manager Application"
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Set-Cookie: 
> JSESSIONID=6AEFCEADD39F891A0CFED0AD73EE512F; Path=/manager/; HttpOnly
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Content-Type: 
> text/html;charset=ISO-8859-1
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Transfer-Encoding: chunked
> 2012/05/11 11:17:21:920 NDT [DEBUG] headers - << Date: Fri, 11 May 2012 
> 13:46:21 GMT
> 2012/05/11 11:17:21:927 NDT [DEBUG] ResponseProcessCookies - Cookie accepted: 
> "[version: 0][name: JSESSIONID][value: 
> 6AEFCEADD39F891A0CFED0AD73EE512F][domain: 172.16.2.16][path: 
> /manager/][expiry: null]". 
> 2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - Connection can be 
> kept alive indefinitely
> 2012/05/11 11:17:21:927 NDT [DEBUG] DefaultHttpClient - 172.16.2.16:18080 
> requested authentication
> 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - 
> Authentication schemes in the order of preference: [negotiate, NTLM, Digest, 
> Basic]
> 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge 
> for negotiate authentication scheme not available
> 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge 
> for NTLM authentication scheme not available
> 2012/05/11 11:17:21:928 NDT [DEBUG] TargetAuthenticationStrategy - Challenge 
> for Digest authentication scheme not available
> 2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - 
> Connection [id: 0][route: {}->http://172.16.2.16:18080] can be kept alive 
> indefinitely
> 2012/05/11 11:17:21:935 NDT [DEBUG] PoolingClientConnectionManager - 
> Connection released: [id: 0][route: {}->http://172.16.2.16:18080][total kept 
> alive: 1; route allocated: 1 of 2; total allocated: 1 of 5]
> [INFO] tomcatManager status code:401, ReasonPhrase:Unauthorized
> [INFO] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" 
> "http://www.w3.org/TR/html4/strict.dtd";>
> [INFO] <html>
> [INFO]  <head>
> [INFO]   <title>401 Unauthorized</title>
> [INFO]   <style type="text/css">
> [INFO]     <!--
> [INFO]     BODY 
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
> [INFO]     H1 
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> [INFO]     PRE, TT {border: 1px dotted #525D76}
> [INFO]     A {color : black;}A.name {color : black;}
> [INFO]     -->
> [INFO]   </style>
> [INFO]  </head>
> [INFO]  <body>
> [INFO]    <h1>401 Unauthorized</h1>
> [INFO]    <p>
> [INFO]     You are not authorized to view this page. If you have not changed
> [INFO]     any configuration files, please examine the file
> [INFO]     <tt>conf/tomcat-users.xml</tt> in your installation. That
> [INFO]     file must contain the credentials to let you use this webapp.
> [INFO]    </p>
> [INFO]    <p>
> [INFO]     For example, to add the <tt>manager-gui</tt> role to a user named
> [INFO]     <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the 
> following to the
> [INFO]     config file listed above.
> [INFO]    </p>
> [INFO] <pre>
> [INFO] &lt;role rolename="manager-gui"/&gt;
> [INFO] &lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
> [INFO] </pre>
> [INFO]    <p>
> [INFO]     Note that for Tomcat 7 onwards, the roles required to use the 
> manager
> [INFO]     application were changed from the single <tt>manager</tt> role to 
> the
> [INFO]     following four roles. You will need to assign the role(s) required 
> for
> [INFO]     the functionality you wish to access.
> [INFO]    </p>
> [INFO]     <ul>
> [INFO]       <li><tt>manager-gui</tt> - allows access to the HTML GUI and the 
> status
> [INFO]           pages</li>
> [INFO]       <li><tt>manager-script</tt> - allows access to the text 
> interface and the
> [INFO]           status pages</li>
> [INFO]       <li><tt>manager-jmx</tt> - allows access to the JMX proxy and 
> the status
> [INFO]           pages</li>
> [INFO]       <li><tt>manager-status</tt> - allows access to the status pages 
> only</li>
> [INFO]     </ul>
> [INFO]    <p>
> [INFO]     The HTML interface is protected against CSRF but the text and JMX 
> interfaces
> [INFO]     are not. To maintain the CSRF protection:
> [INFO]    </p>
> [INFO]    <ul>
> [INFO]     <li>Users with the <tt>manager-gui</tt> role should not be granted 
> either
> [INFO]         the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
> [INFO]     <li>If the text or jmx interfaces are accessed through a browser 
> (e.g. for
> [INFO]         testing since these interfaces are intended for tools not 
> humans) then
> [INFO]         the browser must be closed afterwards to terminate the 
> session.</li>
> [INFO]    </ul>
> [INFO]    <p>
> [INFO]     For more information - please see the
> [INFO]     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
> [INFO]    </p>
> [INFO]  </body>
> [INFO] </html>
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 1:02.630s
> [INFO] Finished at: Fri May 11 11:17:21 NDT 2012
> [INFO] Final Memory: 11M/265M
> [INFO] 
> ------------------------------------------------------------------------
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to