Bug 309211

There seem to be a couple of issues with securing the manager / host-manager.

I believe that the docBase for both (in /etc/tomcat-6/Catalina/localhost) should be catalina.base (not .home) if multiple webapp instantiations are required. Of course, this issues the warning that the context file within the deployed app will be ignored (and thus should probably be deleted to remove the warning).

Also if one wishes to use Digest authentication, then not only server.xml Realm needs digest added and set to MD5 and in each of the web.xml login-config's auth-method needs to be modified (and digest set to MD5), but also the error-page section should be remarked out (otherwise the appropriate WWW-Authenticate: Digest realm, nonce, etc. will not be generated ... of course this then removes the nice explanation 401).

A shell script file to generate the pre-digested passwords consisting of 'source /etc/conf.d/tomcat-6' followed by 'java -cp ${CATALINA_LIBDIR}/catalina.jar:${CATALINA_HOME}/bin/bootstrap.jar org.apache.catalina.realm.RealmBase -a MD5 $1' can be used to create the additional approved users to tomcat-users.xml in the appropriate password form username:domainname:port:password to replace the password="" for each of the manager,admin roles.

Hopefully by doing so this will harden Tomcat authentication for each of the instantiations (however if distinct roles are needed for each instance, then both the tomcat-users.xml and web.xml role-names should be make unique).

Nothing critical, just a few workarounds/tips I ended up needing to do for my installation.

Reproducible: Always