Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Thorsten, On 11/16/22 02:36, Thorsten Schöning wrote: Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:17 schrieben Sie: You should double-check the definition of "compliant to CIS benchmark spec" because there is no way in hell that HTTP DIGEST is required.[...] The spec doesn't tell me exactly to use auth-method DIGEST, but their example configs and stuff use exactly that. $ grep -i [.\n]*DIGEST[.\n]* UserDatabase[.\n]* $CATALINA_HOME/webapps/manager/WEB-INF/web.xml And here it comes: If a Realm exists without a digest attribute or without a value for the digest attribute, this is a fail. I see. This is a *super* old document, then. Because that suggests you can use MD5 which is not acceptable as a hashing algorithm in 2022. That sentence is for Tomcat 9, in which that attribute has been removed as well already, didn't it? They don't even mention any credential handler possible in Tomcat at all, even those are superior than using the digest attribute. Agreed. Tomcat 9 should still support "digest" simply due to Tomcat 9's long history. I believe "digest" was only removed in Tomcat 10 a later. So this whole abstract seems broken in the CIS spec to me and I just needed to collect input how to deal with that. OTOH, thinking about it again, the customer says to run automatic CIS checks using some app and that didn't complain about auth-method BASIC yet. So using that with PBKDF2WithHmacSHA512 seems to be fine even more. I should hope that, with an explanation, you will be able to get an exemption for that rather outdated rule. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:17 schrieben Sie: > You should double-check the definition of "compliant to CIS > benchmark spec" because there is no way in hell that HTTP DIGEST is > required.[...] The spec doesn't tell me exactly to use auth-method DIGEST, but their example configs and stuff use exactly that. > $ grep -i > [.\n]*DIGEST[.\n]* > UserDatabase[.\n]* > $CATALINA_HOME/webapps/manager/WEB-INF/web.xml And here it comes: > If a Realm exists without a digest attribute or without a value for > the digest attribute, this is a fail. That sentence is for Tomcat 9, in which that attribute has been removed as well already, didn't it? They don't even mention any credential handler possible in Tomcat at all, even those are superior than using the digest attribute. So this whole abstract seems broken in the CIS spec to me and I just needed to collect input how to deal with that. OTOH, thinking about it again, the customer says to run automatic CIS checks using some app and that didn't complain about auth-method BASIC yet. So using that with PBKDF2WithHmacSHA512 seems to be fine even more. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Thorsten, On 11/15/22 15:29, Thorsten Schöning wrote: Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 20:44 schrieben Sie: Assuming digesting passwords with one round of MD5 and no salt isn't acceptable (I'd be surprised if it was) then you are probably looking at HTTPS + BASIC + PBKDF2WithHmacSHA512. Thanks for that clarification, it's exactly what I expected. My major problem is that I have IT sec of some customer requiring me that the Tomcat is configured compliant to CIS benchmark spec. You should double-check the definition of "compliant to CIS benchmark spec" because there is no way in hell that HTTP DIGEST is required. It's a 100% broken standard that has been fixed by RFC 7616 but, as Mark says, that RFC has been completely ignored by the world because TLS+HTTP BASIC does just fine. The reason it's broken is because it essentially requires that the server store passwords in plaintext, or at least have access to them in that form some way or another. Industry standards have progressed since 1993 and now everybody knows that storing recoverable passwords on the server-side is completely forbidden. This it's not possible to implement HTTP DIGEST in a way that is compliant with any current standard. One requirement is to not have cleartext passwords in tomcat-users.xml, which is possible with your suggestion. But at the same time config examples of that spec use auth-method DIGEST and as we both seem to agree, that doesn't make too much sense. Other parts of the spec don't make sense in this special aspect as well and simply seem outdated and copied over from VERY old Tomcats. So, my approach will be to use HTTPS + BASIC + PBKDF2WithHmacSHA512 most likely and simply tell IT sec that CIS benchmark stuff doesn't work in that aspect and PBKDF2WithHmacSHA512 is superior. The used app doesn plain-text auth on it's own as well and they need to trust HTTPS as well, so no real problem, besided that vood spec. I think it's perfectly reasonable for you to challenge the (implied? requested? required?) use of HTTP DIGEST. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 20:44 schrieben Sie: > Assuming digesting passwords with one round of MD5 and no salt > isn't acceptable (I'd be surprised if it was) then you are probably > looking at HTTPS + BASIC + PBKDF2WithHmacSHA512. Thanks for that clarification, it's exactly what I expected. My major problem is that I have IT sec of some customer requiring me that the Tomcat is configured compliant to CIS benchmark spec. One requirement is to not have cleartext passwords in tomcat-users.xml, which is possible with your suggestion. But at the same time config examples of that spec use auth-method DIGEST and as we both seem to agree, that doesn't make too much sense. Other parts of the spec don't make sense in this special aspect as well and simply seem outdated and copied over from VERY old Tomcats. So, my approach will be to use HTTPS + BASIC + PBKDF2WithHmacSHA512 most likely and simply tell IT sec that CIS benchmark stuff doesn't work in that aspect and PBKDF2WithHmacSHA512 is superior. The used app doesn plain-text auth on it's own as well and they need to trust HTTPS as well, so no real problem, besided that vood spec. Thanks for input! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Sorry, you are correct. There is no way to use PBKDF2WithHmacSHA512 in a Realm along with HTTP DIGEST auth. If you want to use HTTP DIGEST auth and digested passwords on the server you have to use, quoting the Tomcat docs, "one iteration of the MD5 algorithm with no salt". RFC 7616 has added SHA2-256 and SHA2-512/256 to DIGEST auth. That is an improvement but still not great. Tomcat has not been updated to support those. Neither has any major browser. I suspect they never will. Assuming digesting passwords with one round of MD5 and no salt isn't acceptable (I'd be surprised if it was) then you are probably looking at HTTPS + BASIC + PBKDF2WithHmacSHA512. There are a few other options but they come with significant caveats: - If all the users are Windows domain users then SPNEGO is an alternative. - HTTPS + CLIENT_CERT is also an option but the management overhead of issuing clients with certificates is significant. - It is possible to integrate OAuth2 via JASPIC. There is a library to do that for Google. There may be libraries for other providers. Beyond that you would need to start looking at a 3rd party security library. Mark On 15/11/2022 18:23, Thorsten Schöning wrote: Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 18:36 schrieben Sie: Please go and read my email - and the links I provided - again. I did, so feel free to tell me how I tell my browser to use my plain-text password as PBKDF2WithHmacSHA512 digest with 10 iterations, a key length of 256 bits and a salt of 16 bytes. Because my browser's dialog asking for username and password doesn't allow me to put any of these options in. Are you sure to have understood that I already know how to store a digest with those settings in tomcat-users.xml? That wasn't the question. The question was this aspect from your own link: When the authenticate() method of the Realm is called, the (cleartext) password specified by the user is itself digested by the same algorithm[...] There is no cleartext password from the user from the browser if "DIGEST" is used. The cleartext password needs to be available in tomcat-users.xml, but isn't when using PBKDF2WithHmacSHA512. Mit freundlichen Grüßen Thorsten Schöning - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 18:36 schrieben Sie: > Please go and read my email - and the links I provided - again. I did, so feel free to tell me how I tell my browser to use my plain-text password as PBKDF2WithHmacSHA512 digest with 10 iterations, a key length of 256 bits and a salt of 16 bytes. Because my browser's dialog asking for username and password doesn't allow me to put any of these options in. Are you sure to have understood that I already know how to store a digest with those settings in tomcat-users.xml? That wasn't the question. The question was this aspect from your own link: > When the authenticate() method of the Realm is called, the > (cleartext) password specified by the user is itself digested by the > same algorithm[...] There is no cleartext password from the user from the browser if "DIGEST" is used. The cleartext password needs to be available in tomcat-users.xml, but isn't when using PBKDF2WithHmacSHA512. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
On 15/11/2022 17:07, Thorsten Schöning wrote: Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 12:51 schrieben Sie: In short, the digested value you save as the user credential is one of the inputs the client uses when calculating the value to use in the authorization header.[...] My client is a browser and that asks me for plain-text passwords. There's no way I could provide a digest generated using PBKDF2WithHmacSHA512 with the settings mentioned in my former mail. And even if there was, that digest would be a plain-text password again. This works. Please go and read my email - and the links I provided - again. If there are things you don't understand, ask specific questions. You may also find reading RFC 7616 useful. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 12:51 schrieben Sie: > In short, the digested value you save as the user credential is one > of the inputs the client uses when calculating the value to use in > the authorization header.[...] My client is a browser and that asks me for plain-text passwords. There's no way I could provide a digest generated using PBKDF2WithHmacSHA512 with the settings mentioned in my former mail. And even if there was, that digest would be a plain-text password again. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
On 15/11/2022 10:20, Thorsten Schöning wrote: So, is it even possible to use SecretKeyCredentialHandler and auth-method DIGEST together or am I required to use BASIC? If DIGEST is supported, how does that and credential helper work together without plain-text password available at the server at all? Yes. Completely possible. You just have to create the digests in the right format. https://tomcat.apache.org/tomcat-10.1-doc/realm-howto.html#Digested_Passwords In short, the digested value you save as the user credential is one of the inputs the client uses when calculating the value to use in the authorization header. The other values are parts of the request and/or provided by the server. Hence both the client and server are able to calculate the same digest. See https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/realm/RealmBase.java#L389 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How do auth-method BASIC and DIGEST play together with some credential helper?
Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to not store plain-text passwords. So consider the following user database and credential helper being used to stored hashed passwords in "tomcat-users.xml". >resourceName="UserDatabase"> > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="10" > keyLength="256" > saltLength="16" > /> > And here's where things become interesting, because the docs of the CIS benchmark PDF are using a DIGEST auth-method instead of my used BASIC one. > >BASIC >interner Bereich > From my understanding, the BASIC auth-method results in the browser sending plain-text passwords to the server, which can than be processed by some credential helper to compare the results to what is stored in tomcat-users.xml. OTOH, when using DIGEST, the browser won't ever send plain-text passwords and hashes already which needs to be compared by Tomcat. To be able to calculate the same hash, AFAIK Tomcat needs to plain-text password itself as well. But because of DIGEST auth-method and the already hashed password in tomcat-users.xml, it can't have access ot the plain-text password. That's the overall goal of using the credential helper in this case. Additionally, from my understanding DIGEST auth-method has nothing to do with any digest config of any realm or credential helper. It's really distinguishing on HTTP level how browser and Tomcat share credentials. So, is it even possible to use SecretKeyCredentialHandler and auth-method DIGEST together or am I required to use BASIC? If DIGEST is supported, how does that and credential helper work together without plain-text password available at the server at all? Of course there's TLS in place, it's really about to follow the CIS benchmark as much as possible for some customer requirements. But some parts of that CIS benchmark don't make too much sense to me. Thanks for your help! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org