-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yuval,
On 5/20/15 9:34 AM, Yuval Schwartz wrote: > I believe I am running tomcat 8.0 (although when I call the > getServerInfo() method of the implicit ServletContext Object It > tells me that I am running on 7.54) Then you are not running Tomcat 8.0.x. > I configured my realm element in my context.xml file as follows > (based on the howto guide: > https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html): If you are running Tomcat 7, the Tomcat 8 users guide may give you bad guidance. If you are intending to run Tomcat 8, you might want to get that fixed, first. > <Realm className="org.apache.catalina.realm.DataSourceRealm" > debug="99" The "debug" attribute hasn't been supported for something like 10 years. > dataSourceName="jdbc/board" localDataSource="true" > userTable="test_user" userNameCol="Email" > userCredCol="HashedPassword" userRoleTable="test_user_role" > roleNameCol="Role"> > > <CredentialHandler className="MessageDigestCredentialHandler" > algorithm="SHA-1" iterations="1000" saltLength="48"/> Oh, good: someone is using the CredentialHandler to improve their security. You might want to: 1. Switch to a larger hash, like SHA-256 2. Find out how much time it takes to do 1000 SHA-1 (or SHA-256) hashes on your server. You want the hashing to take more than a trivial amount of time. Our services currently use more than 10k iterations of SHA-256. This makes brute-forcing our password database very time consuming for an attacker, if they were to capture the database itself. > </Realm> > > > However, despite the password being stored in the format described > in your "how to" manual (ie:{salt}${iterations}${password}), > authentication fails. I assume that this is because something in my > <Realm> configuration is wrong. Tomcat can generate a hash for you from the command-line: $ ./bin/digest.sh -a SHA-256 -i 1000 -s 48 'test' test:04d9deb5f6f1f206c7139a28806e7ebde8f444018e0191168f8d00291d6e8719cd2 5cc82eca073f9a925c005aadf238b$1000$22cb9257949205ffbff01088b46137cf768dc 67a0faca26f48269ca9250d4d9b Let's take-apart that credential to see what's in there: hash: 04d9deb5 f6f1f206 c7139a28 806e7ebd e8f44401 8e019116 8f8d0029 1d6e8719 cd25cc82 eca073f9 a925c005 aadf238b That's 48 bytes (96 characters) of data. iteration count: 1000 (easy) fingerprint: 22cb9257 949205ff bff01088 b46137cf 768dc67a 0faca26f 48269ca9 250d4d9b That's 32 bytes (64 characters) of data. SHA-1 produces 32-byte output, so this looks good on the face of it. > I was not able to find an answer on online help forums. I also > couldn't find a way to call the initialized DataSourceRealm > Object's digest method when inputting the HashedPassword (ie: I had > to calculate salt and hash on my own using the SHA-1 algorithm). > Perhaps this also has something to do with why authentication is > failing? You probably weren't following the algorithm the same way. For example, the 1000 iterations is done like this: cred = password do 1000 times: cred = hash ( salt + cred ) You probably forgot to salt the credential for each of the iterations. Take a look at the RealmBase class to see how the stored credential should be generated initially. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVXJ/UAAoJEBzwKT+lPKRYHZUQAKWVQoUhMr1QhBLBPmypX6By vQob26NzVU5h9C14CdiTuTJS1uc664yvgZHGkW3xfIKGlRmH0Kez/fuwO7ral1LX 4NWtkX1x2sRVTXZ5ZrEIcM9ofXrELqHCQmS3Jq7Y2VaXvAEvSNvsuY5kSh6+T8/w xEGyd509BU/QssidcQHGSjupxzlwbDngaWps2M4MW5JHfYBGzylNVw4tBpLwBEWm halR3EdHnIc/ReDCzelS9wH96onOAgMsnioh0ib/sC//5KVM6Mo1wh5IdTmQTcTp YF2Wj8QVMj8xaOrGMBqnEoimtY069QEJvaVeltmb0qle/ixKs7qbnrFUcR8Gpju3 ytf1JEUSi29Pw+ct5GL7HPN66P1Y0OfevFLlcB4UUALfceaKrI41/yQBpr8fp7U6 tMQ6fp6k11z92e2+MVgYosi2czpsRwJJO91GY85Ai2YlB8fLbQ9j3dv4Qzh1rl5m pF9B6G1zYLkXSEXk4ugEmHptTvDibPD9BSChnttZPUsLJN2oZfGBjZ2yEeKNpk4P 4xim6CiSfVFT6YNnKYmClzDOk4V+Lpo5uTLSHsd/GdueiSOoQXJmgRpoV7/uacWq J1QSUsyneNPVdrLosfTiidpgYCtTOKZSZ8OEdCiZV09m0JNnRcEoje3nNGYXlUg3 1EyyDLzlNZyDqRTYl+gJ =N8j2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org