Tomcat 9 - understanding CredentialHandler

It is common practice to use non-plaintext passwords for Tomcat users, but in Tomcat 9 things changed slightly. Take a look at this example.

  1. open shell and create digest using the CredentialHandler
    >digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler ************
  2. modify tomcat-users.xml and add the digest
    <tomcat-users> 
    <user name="admin" password="1256b3fd09cc0d114d3010d9bafc0e4d62c1348hc94d2319e197b0a457c580e$1$30f9ce17f3b9a508cd9bc49503901d5fc83851382c49da83c7d6dd02a6fc4c95" roles="manager-gui">
    </user>
    </tomcat-users> 
    
  3. modify server.xml and add declaration of CredentialHandler
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
    <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256">
    </CredentialHandler>
    </Realm>
    

Cowardly refuses

The Java XML binding compiler shows a funny message if you try to create binding classes into a directory that had not been created yet.
$>xjc -p de.mypackage search_result.xsd -d work
cowardly refuses to write to a non-existent directory "work"

Configure a WebDAV folder using Tomcat 6

Tomcat 6 comes prebundled with a WebDAV servlet. To enable the servlet, add the following to web.xml

<servlet>
  <servlet-name>webdav</servlet-name>
  <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
  <init-param>
    <param-name>debug</param-name>
    <param-value>0</param-value>
  </init-param>
  <init-param>
    <param-name>listings</param-name>
    <param-value>true</param-value>
  </init-param>

  <!-- The following for read-write access -->
  <init-param>
    <param-name>readonly</param-name>
    <param-value>false</param-value>
  </init-param>
</servlet>

<servlet-mapping>
  <servlet-name>webdav</servlet-name>
  <url-pattern>/*</url-pattern>
</servlet-mapping>

 

To provide security for WebDAV using Tomcat realms, add the following to web.xml

<security-constraint>
        <web-resource-collection>
                <web-resource-name>webdavapp</web-resource-name>
                <url-pattern>/*</url-pattern>
                <http-method>PROPFIND</http-method>
                <http-method>PROPPATCH</http-method>
                <http-method>COPY</http-method>
                <http-method>MOVE</http-method>
                <http-method>LOCK</http-method>
                <http-method>UNLOCK</http-method>
        </web-resource-collection>

        <auth-constraint>
                <role-name>*</role-name>
        </auth-constraint>
</security-constraint>
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>webdavapp</realm-name>
</login-config>
<security-role>
        <description>WebDAV User</description>
        <role-name>webdav</role-name>
</security-role>

and add a new role and user to conf/tomcat-users.xml:

<role rolename="webdav"/>
<user username="webdavuser" password="password" roles="webdav"/>