Thanks again Chris, I wasn't aware that I can look at the actual classes but I wasn't able to find a precompiled version of RealmBase for tomcat 8. The following is a link to the class of version 7 (which doesn't include the CredentialHandler code): http://grepcode.com/file/repository.springsource.com/org.apache.catalina/com.springsource.org.apache.catalina/7.0.26/org/apache/catalina/realm/RealmBase
When I try to view this file from my netbeans IDE (which is the correct version), I get the compiled version. Do you know how I can view the file that's not compiled? Thanks On Thu, May 21, 2015 at 11:49 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Yuval, > > On 5/21/15 2:39 PM, Yuval Schwartz wrote: > > Hello, > > > > I have some follow-up questions to Chris' response below (in > > blue). > > > > On Wed, May 20, 2015 at 5:53 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Yuval, > > > > On 5/20/15 9:34 AM, Yuval Schwartz wrote: > >>>> I believe I am running tomcat 8.0 (although when I call the > >>>> getServerInfo() method of the implicit ServletContext Object > >>>> It tells me that I am running on 7.54) > > > > Then you are not running Tomcat 8.0.x. > > > >>>> I configured my realm element in my context.xml file as > >>>> follows (based on the howto guide: > >>>> https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html): > > > > If you are running Tomcat 7, the Tomcat 8 users guide may give you > > bad guidance. If you are intending to run Tomcat 8, you might want > > to get that fixed, first. > > > > > >> You are correct, I was running Tomcat 7, which doesn't use the > >> same syntax for digesting from the command prompt (I think it > >> doesn't have the options for salt, iterations, etc.). So I > >> updated to tomcat 8. > > Correct: you'll need Tomcat 8 for the salting and iterative hashing. > > >>>> <Realm className="org.apache.catalina.realm.DataSourceRealm" > >>>> debug="99" > > > > The "debug" attribute hasn't been supported for something like 10 > > years. > > > >>>> dataSourceName="jdbc/board" localDataSource="true" > >>>> userTable="test_user" userNameCol="Email" > >>>> userCredCol="HashedPassword" userRoleTable="test_user_role" > >>>> roleNameCol="Role"> > >>>> > >>>> <CredentialHandler > >>>> className="MessageDigestCredentialHandler" algorithm="SHA-1" > >>>> iterations="1000" saltLength="48"/> > > > > Oh, good: someone is using the CredentialHandler to improve their > > security. You might want to: > > > > 1. Switch to a larger hash, like SHA-256 2. Find out how much time > > it takes to do 1000 SHA-1 (or SHA-256) hashes on your server. You > > want the hashing to take more than a trivial amount of time. Our > > services currently use more than 10k iterations of SHA-256. This > > makes brute-forcing our password database very time consuming for > > an attacker, if they were to capture the database itself. > > > >>>> </Realm> > >>>> > >>>> > >>>> However, despite the password being stored in the format > >>>> described in your "how to" manual > >>>> (ie:{salt}${iterations}${password}), authentication fails. I > >>>> assume that this is because something in my <Realm> > >>>> configuration is wrong. > > > > Tomcat can generate a hash for you from the command-line: > > > > $ ./bin/digest.sh -a SHA-256 -i 1000 -s 48 'test' > > test:04d9deb5f6f1f206c7139a28806e7ebde8f444018e0191168f8d00291d6e8719c > d2 > > > > > 5cc82eca073f9a925c005aadf238b$1000$22cb9257949205ffbff01088b46137cf768dc > > 67a0faca26f48269ca9250d4d9b > > > > Let's take-apart that credential to see what's in there: > > > > hash: > > > > > >> Don't you mean "salt" above, instead of "hash:"? > > Yes. > > > 04d9deb5 f6f1f206 c7139a28 806e7ebd e8f44401 8e019116 8f8d0029 > > 1d6e8719 cd25cc82 eca073f9 a925c005 aadf238b > > > > That's 48 bytes (96 characters) of data. > > > > iteration count: 1000 (easy) > > > > fingerprint: 22cb9257 949205ff bff01088 b46137cf 768dc67a 0faca26f > > 48269ca9 250d4d9b > > > > That's 32 bytes (64 characters) of data. SHA-1 produces 32-byte > > output, so this looks good on the face of it. > > > > > >> I think you mean "SHA-256" here, right? > > Yes, sorry. SHA-256 produces a 256-bit hash, which is 32 8-bit bytes. > > >> Yes, it looks correct. My issue is that I would like to run this > >> "digest" from a servlet. How would I do that? I need to run it > >> from a servlet because I need to enter it into my database (in > >> the format {salt}${iterations}${passowrd}). > > Take a look at RealmBase to see how it does it. > > >> Should I even be doing it this way? This relates to my previous > >> comment: Is there no way to call the same digest function that we > >> ran from the command line, in a servlet? > > Sure. Look at how RealmBase does it. > > >> Indeed there is a digest method as part of the RealmBase API, I > >> just don't know how to get an instance of the RealmBase Object > >> from the servlet. > > Create a new one and fill it with the information you know about how > you want to store passwords? > > >> I looked at the RealmBase class: > > > >> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/real > m/RealmBase.html > > > >> I couldn't find where it mentions how to initially generate the > >> stored credential. Could you give me a little more direction as > >> to where I should look? > > You need to read the code, not look at the API. RealmBase just > instantiates an instance of a CredentialHandler, configures it, and > then calls its methods. Take a look at RealmBase's main() method. > There's a lot of junk in there to handle handlers whose classes and > methods are not known, but it boils down to: > > 1. Calling a constructor > 2. Calling set[Stuff] several times > 3. Calling a method that accepts the cleartext credential and produces > an array of hashed bytes. > > You will have to manually assemble the {salt}${iterations}${hash} > string, which should be trivial at that point. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVXkTAAAoJEBzwKT+lPKRYr0YP/1Av1CqR50qUNeHxNTxJVH1l > u9FlARGcEZ/eZ7qDDBjsUiXneAlkTOk8ZZat6Gxs/aJvVH0YAKGXA2rUmVHDIOYo > Af6iD2wsHhL9Y5OePiK4PJHXdS1+1XRS5bUc61vE5abCx+PsOkQv9aPWvZMGJ8mv > rw/4Lq8PlOEA4cBZ3GShm4tcL7DIeWLttygZGP22iQmIBnl6UJ7gj2PE//ozQGUr > wBjhKg2JwMrglDqbFBXciXUQhvEofXXCuJvvfcWevo1FD9aGZTSPAmEYAZmzMKlP > 0iGaiSpCl5j5rIsEHJlvR4xe1unD79U3pGTQ/fL71QxJ8zt4XlCnKsEvHUsbttgb > X0ylt1GlUmrroOHp9GTAE79OCatjwsIv1VB/MmBk/IFMNbH0c1hkPqzn9Qn6xd60 > ssL7MPFXP8h8XzRHCLvJlxGtZ236YabKlI9BKK0HKnvSX7nMBDL8twHx8/3JM6MB > czeyRgZj95+bOW1pco8skuSMtI0TjyZyxYLkf9nPvDJYVnje7OR9oMi/HIOMRdNb > P+nHCZuNCAv+SNOLuQVMbx65NFBNK/LYPHzdzTCSEVaFsNNhUxnumX9rak9zHujV > fDKaarRucIZVwFHNN1NiN2Ye1TVrgsyAHwujFQ1bYdPMlFRYdnBNhnFcFcXw7yL8 > fRiWM+ehAToF4sOK90DD > =wfoh > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >