This is the second part of the demo on Basic and Digest Authentication using Apache Tomcat server. We have already created the setup, did necessary configurations within web.xml and tomcat’s tomcat-users.xml, and finally exported it as a war, deployed it into tomcat and tested the basic and digest authentication. Here we will use a protocol analyzer to see and analyze the actual requests and responses send between client and server during basic and digest authentication in apache tomcat.
We will use tcpmon to listen to requests and responses as it is very simple and just fits our need. You can read more about it @ http://javajee.com/using-tcpmon-to-listen-to-http-requests-and-responses. You may also use wireshark which is a tool with many advanced capabilities. You can start reading about wireshark @ http://javajee.com/introduction-to-wireshark-%E2%80%93-basic-concept-installation-and-first-data-capture.
In the first part, we had created the setup, did necessary configurations within web.xml and tomcat’s tomcat-users.xml, and finally exported it as a war, deployed it into tomcat. The url for the RestrictedServlet is http://localhost:8080/ServletSecurity/RestrictedServlet
Open tcpmon by clicking tcpmon.bat (in Windows) and enter the Listen Port # as 9090 and Target Port # as 8080 (same as in your current url), leaving the host as 127.0.0.1 (assuming you are executing on your localhost with above url), and click add.
Now a new tab will appear where you can monitor every communication sent to localhost:9090. You will now need to use a modified url with port as 9090 and tcpmon will forward it to the port 8080 along with capturing the details.
Run the modified url for RestrictedServlet with port as 9090 instead of 8080: http://localhost:9090/ServletSecurity/RestrictedServlet.
The client will send a GET request and server will send back a HTTP/1.1 401 Unauthorized response mentioning the authentication scheme as BASIC and also the Realm name.
Now the client browser will show you a popup to capture the username and password.
Once you enter the right username and password with correct role (admin/tomcat), then you will get the response from the servlet.
If you look at the tcpmon listen page, you can see the details sent by client and response by the server.
I can see that the authentication scheme is BASIC and username and password sent (encrypted using base 64) as YWRtaW46dG9tY2F0.
I can simply go to any base 64 decoder (e.g. https://www.base64decode.org/), give the encrypted string YWRtaW46dG9tY2F0 and decode with a single click and it will give me the username and password as: admin:tomcat.
To change the authentication type from BASIC to DIGEST,
Go to your deployed we application’s web.xml file (e.g. <TOMCAT-INSTALL-DIR>/webapps/ServletSecurity/WEB-INF/web.xml)
Change <auth-method>BASIC</auth-method> to <auth-method>DIGEST</auth-method>
Stop (shutdown.bat) and start (startup.bat) tomcat
Now close and open a new browser window (to get a new session) and execute the same url as before: http://localhost:9090/ServletSecurity/RestrictedServlet.
This will give you a popup as before asking for your credentials.
If you look at tcpmon for the request and response, you can see that the authentication method is now DIGEST instead of BASIC.
The WWW-Authenticate header will now contain some additional information as well, which is required by client for creating the digest.
WWW-Authenticate: Digest realm="Restricted Access", qop="auth", nonce="1429331633971:fe2a4023146da72712a100913629c721", opaque="4FE4AED73CC7D1995AF7BC84E2EB9303"
Once you enter the right username and password with correct role (admin/tomcat), then you will get the response from the servlet (same as with BASIC authentication).
However if you look at tcpmon, you can see that the password is now not sent as in the case of BASIC before, but username is sent as is without any encryption.
Authorization header will now have value as:
Authorization: Digest username="admin", realm="Restricted Access", nonce="1429331633971:fe2a4023146da72712a100913629c721", uri="/ServletSecurity/RestrictedServlet", response="b86430e9b4d5e4c1f0abf64b566c715c", opaque="4FE4AED73CC7D1995AF7BC84E2EB9303", qop=auth, nc=00000001, cnonce="d5205f3c7acc1ecd"
Now you will not be able to generate the password as we did before.