(tomcat) branch 11.0.x updated: Fix deprecation warnings

Fri, 01 May 2026 03:24:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 4d91bd2c45 Fix deprecation warnings
4d91bd2c45 is described below

commit 4d91bd2c45bdbcac49aef78eb0ee1bdd573bc8d5
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Apr 27 09:24:00 2026 +0100

    Fix deprecation warnings
---
 java/org/apache/catalina/realm/MessageDigestCredentialHandler.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java 
b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
index 4d2bd5c709..af64ecd0c3 100644
--- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
+++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
@@ -28,6 +28,7 @@ import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.B2CConverter;
 import org.apache.tomcat.util.buf.HexUtils;
 import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+import org.apache.tomcat.util.security.ConstantTime;
 
 /**
  * This credential handler supports the following forms of stored passwords:
@@ -110,7 +111,7 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
 
         if (getAlgorithm() == null) {
             // No digests, compare directly
-            return DigestCredentialHandlerBase.equals(inputCredentials, 
storedCredentials, false);
+            return ConstantTime.equals(inputCredentials, storedCredentials, 
false);
         } else {
             // Some directories and databases prefix the password with the hash
             // type. The string is in a format compatible with Base64.encode 
not
@@ -123,7 +124,7 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
                         
inputCredentials.getBytes(StandardCharsets.ISO_8859_1));
                 String base64UserDigest = 
Base64.getEncoder().encodeToString(userDigest);
 
-                return DigestCredentialHandlerBase.equals(base64UserDigest, 
base64ServerDigest, false);
+                return ConstantTime.equals(base64UserDigest, 
base64ServerDigest, false);
             } else if (storedCredentials.startsWith("{SSHA}")) {
                 // "{SSHA}<sha-1 digest:20><salt:n>"
                 // Need to convert the salt to bytes to apply it to the user's


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to