-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rop,
On 3/12/15 7:10 PM, rop wrote: > Hi Chris, Yes, we are applying salt before hashing (to prevent > googling up many passwords from the hashes). Depending upon how you are storing the salt, you may be able to use Tomcat out of the box, now, because Tomcat can now do salted passwords (it was way overdue). > Override probably seemed like easiest way at the time, but maybe a > better way now. Will check it out, thanks. You will be better-off moving away from Realm and towards CredentialHandler instead. Consider beginning to evaluate that for the future. - -chris > On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Rop, > > On 3/12/15 3:33 PM, rop wrote: >>>> Finally, found the issue. > > Please bottom-post if you can. Also, please sign your posts. > >>>> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas >>>> <ma...@apache.org> wrote: >>>> >>>>> On 12/03/2015 15:51, rop wrote: >>>>>> Ah, I got it now. Thanks, David. >>>>>> >>>>>> Yes, the a-b-c-d points are OK then. >>>>>> >>>>>> As a trouble-shoot action, I actually did an >>>>>> install-and-test "binary search" among the intermediate >>>>>> tomcat-versions to pinpoint exactly which version breaks >>>>>> our app. >>>>>> >>>>>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and >>>>>> 7.0.49 do not exist in the tomcat archive) And from >>>>>> 7.0.50 it breaks. >>>>>> >>>>>> So apparently, between 47 and 50 some change occurred >>>>>> that breaks our login.... >>>>> >>>>> Nothing jumps out at me in the change log. I'd add that >>>>> FORM auth is tested as part of every release so it isn't a >>>>> general problem. >>>>> >>>>> In your shoes, I'd be firing up Eclipse and remote >>>>> debugging my way through the authentication process. >>>>> Alternatively, try creating the smallest/simplest possible >>>>> WAR that exhibits the problem. >>>> >>>> The crucial change was in the method >>>> RealmBase.compareCredentials(), which is new in 7.0.50 (the >>>> comparison was much simpler before that). > > It is much more extensible, now. > >>>> Dunno if we do something unusual here, but we just extend >>>> DataSourceRealm, like MyDataSourceRealm, and implement the >>>> message-digest for password-hashing in there, by simply >>>> overriding the digest() method. > > Do you need to extend the whole realm, or did you just want to > override Tomcat's default password-hashing algorithm? > > If you just want to tweak the hashing algorithm, you can write a > simpler class and not subclass DataSourceRealm. What does your > Realm do besides change the password-comparison algorithm? > >>>> Before 7.0.50, this worked fine *without* explicitly setting >>>> the DataSourceRealm.setDigest() property. It's always been >>>> null, and still worked. > > This was because it defaulted to "MD5" and Tomcat always used > simplistic credential-hashing. It's much more sophisticated, now, > and also supports things like Bcrypt, Scrypt, PBKDF2, etc. > >>>> But the new method RealmBase.compareCredentials() assumes: if >>>> you use messageDigest, this property MUST be set. ( >>>> compareCredentials() calls hasMessageDigest() which did not >>>> happen in earlier versions. ) >>>> >>>> So the solution was to simply add the property digest in >>>> <Realm digest="..." ...> which we didnt have there before. >>>> Then it works. > > Great. But I think you can do better. If your Realm merely changes > the way hashing is done, please check-out the new features. You may > be able to a) eliminate your class altogether due to new features > or b) replace your Realm with a CredentialHandler that only does > the mutation and comparison of credentials. > > We did this so you can use the same credential-mutations on *any* > realm, without having to subclass every Realm to do it. > > Hope that helps, -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAvnDAAoJEBzwKT+lPKRYswIQAK+OITerGZSKo0NWWtpDGZZk yFbT2fwf4HfqveG0pP24pcF+1EJAkKJlPt+D/eonRw4REdVBjWlj5KOBVNSJSEcw JS+2tcOYNdJFx/EYL1EvTOCB4mKuzwpyfegikfP6pj/hy1rBXGOzVVNpHPIoUQ5Q ugkWqBckBZa/jVDwsvWbZUJPTuwYFs4HqdEfH4Y9NRvzBNz3a/cIjnRB75jAl+AY 0Wdcfe1YifFssVQv/jX8b+kUhVcrYQzS1EKzyJzuPcPYwF8X7sCLDB8QMkrB6Gkg FMHZA48ytQSrGJyq+rZ62C97Y/nXsQ4EKsK4+cLwcinjfEJ5MhSvZGY7I8Vm+cQk Xpika0vRNV8NtX+vqpdTS7lg/QeqZkUFn2KrDtpNyyS2e9lsbJ3laCcmDgg345VS DY7icmTsuNbc9gcWMJzcf5AuSmf/U2GhhTgIza9mO9SkT/uckxOYX8q6bu1WT/8L wSJeGPRI/VqIEik83X3dFWP6BcCguidjOB4J1uAowl1T1fKhrmVlsZ3LP9m9MWbO 0E4P7bRKIX3JlZvyqI2U2UFheFefj0vK/PCIUAttNDzuXENPvxigEiVrvYf5Qx37 JfVrW5cxHMGyUQ3YIVlZmRiwWT4hnZzbTLHxvs6/1mtu7Zr8267RcissgoEv5E7X 3X/MceB38qv4a3npJchq =HqR1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
