Finally, found the issue. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that).
Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in <Realm digest="..." ...> which we didnt have there before. Then it works. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> wrote: > On 12/03/2015 15:51, rop wrote: > > Ah, I got it now. > > Thanks, David. > > > > Yes, the a-b-c-d points are OK then. > > > > As a trouble-shoot action, I actually did an install-and-test "binary > > search" > > among the intermediate tomcat-versions to pinpoint exactly which version > > breaks our app. > > > > Turns out, up to 7.0.47 it still works OK. > > (7.0.48 and 7.0.49 do not exist in the tomcat archive) > > And from 7.0.50 it breaks. > > > > So apparently, between 47 and 50 some change occurred that breaks our > > login.... > > Nothing jumps out at me in the change log. I'd add that FORM auth is > tested as part of every release so it isn't a general problem. > > In your shoes, I'd be firing up Eclipse and remote debugging my way > through the authentication process. Alternatively, try creating the > smallest/simplest possible WAR that exhibits the problem. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
