Entries tagged [tomcat]

You're viewing entries tagged [tomcat] in the weblog safari.

Tomcat 9 - understanding CredentialHandler

It is common practice to use non-plaintext passwords for Tomcat users, but in Tomcat 9 things changed slightly. Take a look at this example.

  1. open shell and create digest using the CredentialHandler 
    >digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler ************
  2. modify tomcat-users.xml and add the digest 
    <tomcat-users> 
<user name="admin" password="1256b3fd09cc0d114d3010d9bafc0e4d62c1348hc94d2319e197b0a457c580e$1$30f9ce17f3b9a508cd9bc49503901d5fc83851382c49da83c7d6dd02a6fc4c95" roles="manager-gui">
</user>
</tomcat-users>
  3. modify server.xml and add declaration of CredentialHandler 
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256">
</CredentialHandler>
</Realm>

Posted on by Peter Eichenauer
Tags: security tomcat

Configure a WebDAV folder using Tomcat 6

Tomcat 6 comes prebundled with a WebDAV servlet. To enable the servlet, add the following to web.xml 

<servlet>
  <servlet-name>webdav</servlet-name>
  <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
  <init-param>
    <param-name>debug</param-name>
    <param-value>0</param-value>
  </init-param>
  <init-param>
    <param-name>listings</param-name>
    <param-value>true</param-value>
  </init-param>

  <!-- The following for read-write access -->
  <init-param>
    <param-name>readonly</param-name>
    <param-value>false</param-value>
  </init-param>
</servlet>

<servlet-mapping>
  <servlet-name>webdav</servlet-name>
  <url-pattern>/*</url-pattern>
</servlet-mapping>

 

To provide security for WebDAV using Tomcat realms, add the following to web.xml

<security-constraint>
        <web-resource-collection>
                <web-resource-name>webdavapp</web-resource-name>
                <url-pattern>/*</url-pattern>
                <http-method>PROPFIND</http-method>
                <http-method>PROPPATCH</http-method>
                <http-method>COPY</http-method>
                <http-method>MOVE</http-method>
                <http-method>LOCK</http-method>
                <http-method>UNLOCK</http-method>
        </web-resource-collection>

        <auth-constraint>
                <role-name>*</role-name>
        </auth-constraint>
</security-constraint>
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>webdavapp</realm-name>
</login-config>
<security-role>
        <description>WebDAV User</description>
        <role-name>webdav</role-name>
</security-role>

and add a new role and user to conf/tomcat-users.xml: 

<role rolename="webdav"/>
<user username="webdavuser" password="password" roles="webdav"/>

TomcatMBeanViewer

Preliminary information

Tomcat 4 uses already the JMX-API. But there is no easy way to get a list of all available MBeans. JMX stands for Java Management extensions.

Tested Environment

  • Java 1.4
  • Tomcat 4.1

MBeanViewer web application

Insert this code in your servlet or JSP. 

    MBeanServer mBeanServer = null;
    ArrayList arrayList = MBeanServerFactory.findMBeanServer(null);
    if (arrayList.size() > 0) {
        mBeanServer = (MBeanServer)arrayList.get(0);
    } else {
        mBeanServer = MBeanServerFactory.createMBeanServer();
    }

    Set allMBeans = mBeanServer.queryNames(null,null);
    for(Iterator i = allMBeans.iterator(); i.hasNext(); ) {
       ObjectName objectName = (ObjectName)i.next();

       log.debug(objectName.getDomain()); 
       log.debug(objectName.getCanonicalName());
    }

Results

Domain Canonical Name
Catalina Catalina:name=channelSocket,type=JkHandler
Catalina Catalina:host=localhost,name=users,path=/manager,resourcetype=Context,service=Tomcat-Standalone,type=ResourceLink
Catalina Catalina:resourcetype=Global,type=NamingResources
... ...