-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rop,
On 3/12/15 3:33 PM, rop wrote: > Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. > On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> > wrote: > >> On 12/03/2015 15:51, rop wrote: >>> Ah, I got it now. Thanks, David. >>> >>> Yes, the a-b-c-d points are OK then. >>> >>> As a trouble-shoot action, I actually did an install-and-test >>> "binary search" among the intermediate tomcat-versions to >>> pinpoint exactly which version breaks our app. >>> >>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 >>> do not exist in the tomcat archive) And from 7.0.50 it breaks. >>> >>> So apparently, between 47 and 50 some change occurred that >>> breaks our login.... >> >> Nothing jumps out at me in the change log. I'd add that FORM auth >> is tested as part of every release so it isn't a general >> problem. >> >> In your shoes, I'd be firing up Eclipse and remote debugging my >> way through the authentication process. Alternatively, try >> creating the smallest/simplest possible WAR that exhibits the >> problem. > > The crucial change was in the method > RealmBase.compareCredentials(), which is new in 7.0.50 (the > comparison was much simpler before that). It is much more extensible, now. > Dunno if we do something unusual here, but we just extend > DataSourceRealm, like MyDataSourceRealm, and implement the > message-digest for password-hashing in there, by simply overriding > the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? > Before 7.0.50, this worked fine *without* explicitly setting the > DataSourceRealm.setDigest() property. It's always been null, and > still worked. This was because it defaulted to "MD5" and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. > But the new method RealmBase.compareCredentials() assumes: if you > use messageDigest, this property MUST be set. ( > compareCredentials() calls hasMessageDigest() which did not happen > in earlier versions. ) > > So the solution was to simply add the property digest in <Realm > digest="..." ...> which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov xkQ8CoV6X9Oq0TlV3PXi =Y/0T -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
