Re: Admin password for Tomcat
On 11/5/2023 9:26 AM, Christopher Schultz wrote: Jerry, On 11/4/23 20:17, Jerry Malcolm wrote: My support team needs to be able to log in to our site as various users (on behalf of...) to be able to see exactly what they are seeing since roles, access groups, history is different for different users. I would like to implement an admin password where I can log in as any userId with this password. I totally realize the security risks involved in this. But I am handling the security risks with additional authorizations. I simply need to make every user have two passwords... their real personal password, and the admin password. The only alternative I have right now is to save off the user's password hash in the USERS table, replace it with my password hash, then restore the user's original password when I'm done. I'm not thrilled with that solution first because it's a pain and error prone, and also because the user can no longer log in while their password is replaced with my password. I figure this function is buried in the authenticator code somewhere. But I'd first like to see if anybody has done anything like this already. If not, could somebody point me in the right direction to the tomcat source file that I'm going to need to modify and also what's involved in making authentication use my updated class instead of the default. Suggestions? This sounds like "impersonation" to me, which, I think, can be done differently. If you are indeed describing an X-Y problem above, then might I suggest the following? Instead of figuring out how to "add" a second password to a user, what about allowing you to login as e.g. "jerry" and then assume the identity of the user "tom"? You should be able to do this by changing the UserPrincipal in the session to have a different username. Which application are you trying to do this with? Your own application, or one which ships with Tomcat (e.g. Manager)? -chris Hi Chris, it's my own webapp. Changing user principal is exactly what I'm trying to do. I wasn't aware that the user principal could be easily swapped. Where can I learn more about how to do that? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:
Thanks Mark and Chris. >> > base="/home/devuser/git/myproject/target/classes" >> className="org.apache.catalina.webresources.DirResourceSet" >> webAppMount="/WEB-INF/classes" /> I have not noticed any slowness yet. There are alot of jars (approx 160), but the target/classes folder are my app's classes that I am working on. These can change (ie not static), so may be better to switch it off. Is there anyway to calculate the size needed for the cache setting? Thanks Greg On Sun, 5 Nov 2023 at 15:31, Christopher Schultz < ch...@christopherschultz.net> wrote: > Greg and Mark, > > On 11/5/23 09:31, Mark Thomas wrote: > > On 05/11/2023 10:18, Greg Huber wrote: > >> OK thanks, the docs mention "static resource cache" but I could not > >> find info on what it actually is. > > > > It caches the content of static resources in memory and uses that rather > > than accessing disk. > > > >> I am loading maven jars and /target/classes. > >> > >> eg: > >> > >> >> base="/home/devuser/git/myproject/tools/META-INF" > >> className="org.apache.catalina.webresources.DirResourceSet" > >> webAppMount="/WEB-INF/classes/META-INF" /> > >> > >> >> base="/home/devuser/git/myproject/target/classes" > >> className="org.apache.catalina.webresources.DirResourceSet" > >> webAppMount="/WEB-INF/classes" /> > >> > >> >> > base="/home/devuser/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar" > >> className="org.apache.catalina.webresources.FileResourceSet" > >> webAppMount="/WEB-INF/lib/commons-logging-1.2.jar" /> > >> > >> > >> As its purely for development guess it makes no difference? > > > > I doubt you'll notice if you disable it. > > +1 > > Since you are using JAR files, the caching won't matter once the classes > themselves are loaded-into memory. So you may observe some slowness > early in the lifetime of the web application after deployment, but at > long as your code, etc. isn't trying to re-scan JAR files all the time, > etc. then you should be fine. > > -chris > > >> On 05/11/2023 10:02, Mark Thomas wrote: > >>> On 04/11/2023 11:03, Greg Huber wrote: > Hello, > > I am using the and to run tomcat for > debugging my app (and it is pretty awesome). I am getting the cache > warning limit, as it is 10mb, what effect would it have if I turned > off the cache ie cachingAllowed="false" rather than having to > increase the limit all the time? > >>> > >>> This is one of those "it depends" questions. There are lots of > >>> factors that will influence how effective the cache is. You could try > >>> and reason what the impact would be but you will likely get a more > >>> accurate answer, faster by just trying it and measuring the impact. > >>> > >>> Mark > >>> > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re:
Greg and Mark, On 11/5/23 09:31, Mark Thomas wrote: On 05/11/2023 10:18, Greg Huber wrote: OK thanks, the docs mention "static resource cache" but I could not find info on what it actually is. It caches the content of static resources in memory and uses that rather than accessing disk. I am loading maven jars and /target/classes. eg: As its purely for development guess it makes no difference? I doubt you'll notice if you disable it. +1 Since you are using JAR files, the caching won't matter once the classes themselves are loaded-into memory. So you may observe some slowness early in the lifetime of the web application after deployment, but at long as your code, etc. isn't trying to re-scan JAR files all the time, etc. then you should be fine. -chris On 05/11/2023 10:02, Mark Thomas wrote: On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome). I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase the limit all the time? This is one of those "it depends" questions. There are lots of factors that will influence how effective the cache is. You could try and reason what the impact would be but you will likely get a more accurate answer, faster by just trying it and measuring the impact. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Admin password for Tomcat
Jerry, On 11/4/23 20:17, Jerry Malcolm wrote: My support team needs to be able to log in to our site as various users (on behalf of...) to be able to see exactly what they are seeing since roles, access groups, history is different for different users. I would like to implement an admin password where I can log in as any userId with this password. I totally realize the security risks involved in this. But I am handling the security risks with additional authorizations. I simply need to make every user have two passwords... their real personal password, and the admin password. The only alternative I have right now is to save off the user's password hash in the USERS table, replace it with my password hash, then restore the user's original password when I'm done. I'm not thrilled with that solution first because it's a pain and error prone, and also because the user can no longer log in while their password is replaced with my password. I figure this function is buried in the authenticator code somewhere. But I'd first like to see if anybody has done anything like this already. If not, could somebody point me in the right direction to the tomcat source file that I'm going to need to modify and also what's involved in making authentication use my updated class instead of the default. Suggestions? This sounds like "impersonation" to me, which, I think, can be done differently. If you are indeed describing an X-Y problem above, then might I suggest the following? Instead of figuring out how to "add" a second password to a user, what about allowing you to login as e.g. "jerry" and then assume the identity of the user "tom"? You should be able to do this by changing the UserPrincipal in the session to have a different username. Which application are you trying to do this with? Your own application, or one which ships with Tomcat (e.g. Manager)? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FIPS Configuration for Java 11/17 and Tomcat 9
Amit, On 11/2/23 21:18, Amit Pande wrote: Please refer to the link below in case you are interested in configuring FIPS for Tomcat 9 running on Java 17. https://github.com/amitlpande/tomcat-9-fips/wiki/Java-11-17-Tomcat-9-FIPS-Configuration-Using-Bouncy-Castle I have tested steps for Java 11 and even Java 8 too. But there are different ways for Java 8 at least (https://github.com/amitlpande/tomcat-9-fips). Appreciate reviews and any other feedback. Thanks for doing this. The guide is easy to understand and explains both the "how" /and/ the "why" for everything. Nicely done. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing Credential handler inside the web application always returns null
Азат, On 10/31/23 13:53, Усманов Азат Анварович wrote: Hi everyone! CredentialHandler became not null, as soon as I transferred Realm definition from server.xml to context.xml(after checking the source code) .I've been able to see the new pbkdf2 version of the given clear text password even with old 9.0.64 version. I was wondering is the necessity to have realm defined inside context. xml for accessing CredentialHandler a design decision or a possible bug in tomcat itself?. It wasn't mentioned in tomcat documentation. Perhaps it should be added in the docs. Hmm... it shouldn't matter if you define your in server.xml or in app/META-INF/context.xml. Are you sure that was the only difference between working/not-working configurations? Thanks, -chris От: Усманов Азат Анварович Отправлено: 30 октября 2023 г. 20:25 Кому: users@tomcat.apache.org Тема: RE: Accessing Credential handler inside the web application always returns null I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is still null От: Christopher Schultz Отправлено: 30 октября 2023 г. 18:52 Кому: Tomcat Users List ; Усманов Азат Анварович Тема: Re: Accessing Credential handler inside the web application always returns null Азат, On 10/29/23 20:45, Усманов Азат Анварович wrote: Hi everyone!I'm trying to test CredentialHandeler functionality onour test server (Tomcat 9.0.64) inside the web-app I Our realm is defined as follows( excerpt from server.xml ) Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic login controller code (LoginCheckServlet) LoginCheckServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ... String userName = request.getParameter("j_username"); String password = request.getParameter("j_password"); HttpSession session = request.getSession(); UserRecord user=... //load data from db if (user.checkCorrectPassword(password,session.getServletContext())) { CredentialHandler cr=Security.getCredentialHandler(getServletContext()); System.out.println(cr.mutate(password));// hoping to see my password displayed as pbkdf2 hash . } Security.getCredentialHandler public static CredentialHandler getCredentialHandler(final ServletContext context) { System.out.println("context"+context) ;// prints contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7 System.out.println("context vs"+context.getMajorVersion()); // prints 4 System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always prints ATRIB null return (CredentialHandler) context.getAttribute(Globals.CREDENTIAL_HANDLER); } Your code and configuration looks reasonable to me. So basically it always return null when trying to access CredentialHandler attribute inside Security.getCredentialHandler method,Any idea why it might be the case ? Are you able to re-try with Tomcat 9.0.70 or later? There is a changelog[1] entry which may be important for you: " Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm) " There was a problem specifically with the NestedCredentialHandler, I think, which was not working as expected. 9.0.70 includes a fix that should improve things for you. -chris [1] https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:
On 05/11/2023 10:18, Greg Huber wrote: OK thanks, the docs mention "static resource cache" but I could not find info on what it actually is. It caches the content of static resources in memory and uses that rather than accessing disk. I am loading maven jars and /target/classes. eg: As its purely for development guess it makes no difference? I doubt you'll notice if you disable it. Mark Cheers Greg On 05/11/2023 10:02, Mark Thomas wrote: On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome). I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase the limit all the time? This is one of those "it depends" questions. There are lots of factors that will influence how effective the cache is. You could try and reason what the impact would be but you will likely get a more accurate answer, faster by just trying it and measuring the impact. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:
OK thanks, the docs mention "static resource cache" but I could not find info on what it actually is. I am loading maven jars and /target/classes. eg: As its purely for development guess it makes no difference? Cheers Greg On 05/11/2023 10:02, Mark Thomas wrote: On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome). I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase the limit all the time? This is one of those "it depends" questions. There are lots of factors that will influence how effective the cache is. You could try and reason what the impact would be but you will likely get a more accurate answer, faster by just trying it and measuring the impact. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:
On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome). I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase the limit all the time? This is one of those "it depends" questions. There are lots of factors that will influence how effective the cache is. You could try and reason what the impact would be but you will likely get a more accurate answer, faster by just trying it and measuring the impact. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Admin password for Tomcat
Jerry, > Am 05.11.2023 um 02:34 schrieb Brian Wolfe : > > You need to build a custom realm for that if you're using tomcat to manage > your user sessions and not creating your own sessions for your application. > You can extend the existing one that you're using. I assume you're using > the JDBC Realm since you said you have an USERS table. So you could add > another field to your table and extend the JDBC class to do an additional > check on your admin pwd field if you don't want them to have a second > account. > > https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Standard_Realm_Implementations > > You will want to look at the source of the realm implementation to see how > you need to extend it. So you shouldn't have to do too much to get the > functionality you're looking for. > >> On Sat, Nov 4, 2023 at 8:18 PM Jerry Malcolm wrote: >> >> My support team needs to be able to log in to our site as various users >> (on behalf of...) to be able to see exactly what they are seeing since >> roles, access groups, history is different for different users. I would >> like to implement an admin password where I can log in as any userId >> with this password. I totally realize the security risks involved in >> this. But I am handling the security risks with additional >> authorizations. Back in the days when we had this requirement, we implemented an "admin tool" where we had the admin user login as themselves and then pick the user they wanted to see. At this time the password check was simply skipped. No fiddling with the password table, no security flaws as the admin tool was not available to the public. >> I simply need to make every user have two passwords... >> their real personal password, and the admin password. The only >> alternative I have right now is to save off the user's password hash in >> the USERS table, replace it with my password hash, then restore the >> user's original password when I'm done. I'm not thrilled with that >> solution first because it's a pain and error prone, and also because the >> user can no longer log in while their password is replaced with my >> password. >> >> I figure this function is buried in the authenticator code somewhere. >> But I'd first like to see if anybody has done anything like this >> already. If not, could somebody point me in the right direction to the >> tomcat source file that I'm going to need to modify and also what's >> involved in making authentication use my updated class instead of the >> default. >> >> Suggestions? >> Would that be a solution? Peter >> Thx >> >> Jerry >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -- > Thanks, > Brian Wolfe > https://www.linkedin.com/in/brian-wolfe-3136425a/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org