Well I guess now its confirmed that it is a bug. Do you still need the code ?
On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 9/8/15 6:31 AM, Sreyan Chakravarty wrote: > > Okay is if I have stored my password in my DB with SHA256 > > encryption, can the credential handler declared in the realm work > > if the it is declared with SHA512 ? > > No. SHA256 and SHA512 produce hashes of different sizes, so with the > same input, they will always produce different outputs. > > https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions > > > As far as I know it must be same algorithm, salt and iterations for > > the hash to be matched perfectly. > > Correct. > > > Now take my case-: > > > > <CredentialHandler className = > > "org.apache.catalina.realm.SecretKeyCredentialHandler" algorithm = > > "PBEWITHMD5ANDTRIPLEDES" /> > > > > Okay this my credential handler that I am using. In my DB the > > password is stored using PBEWITHHMACSHA384ANDAES_256. A completely > > different algorithm that the one specified before. So how come when > > I put in my user-id and password on my form-login page I am not > > getting an authentication error instead I am being forwarded to the > > protected resource. > > Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are > somehow aliases of each other? Also, it's possible that your > implementation of the algorithm is flawed. > > Try running the "mutate" method from a command-line driver on some > sample input to see what falls out. > > > It should use the algorithm in the CredentialHandler to mutate the > > password. Now don't tell me that two different algorithms offer the > > same hash. > > > > What is going on here ? > > My guess is a bug in the CredentialHandler itself. Can you post some cod > e? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV8E9cAAoJEBzwKT+lPKRYvFUQAJOnonwIc7wdMKSbyn6ldsXT > +2A1gC16QpAnvWgP8RkqDgDn9zPfYBfdRePpI3voDxNJsiKxSuqPhldlPTtyu+28 > 4KWDifi1qxTbhvMasSv1AgwkzMjOBFWitZ8NLbr4AUK/m878Goc0nSUEDIirpLNq > THfQAL5fvN0IXl6IqDx5dEyGekBQsSg6Q1NqU5ZL6w2GLvhwYBfTE/eFsHzw/mc2 > Z7IIC/gt7wT4FbkzzMF1Qcp6TKvEA1pdLU0KCcE7BiLCiwJxWfQTCI2WWEJIMV2s > FwkvLDXidqmNIL6Wg4QoaB093lw5UcQY0r2kUtCL4gkuS7IqCyLeFaaJFXoN2iY9 > +OlLlPF1DrsKAhJejDuge1+ixksWDd3VqL6DoMHqldpG5kh1CIPjO3Cwpnw5ypNX > /v5u4dq318qrcp2UGsr/1mRXx0t7gNUfgqGqS+4wDw40TekGJbGJqhFaVoq82sjz > gFPOhjTeSDExb0zTiyhaRus4VtqlGUnMj+CIx+4yMDg1ax/Le19yV7if+p4KRaB+ > Ua+D31QY5sz09CIJIog9WOiQ20PGDsWSgQzKevoqZCDgWfx/NChG5rz0ku0DdHsC > nednB/m8TGrT6ziT33NIbfDGgp31egkI6TjqVcLaK4IX1L073R83sQ9O6m5pqmJ+ > t5YGoYKn1OMac388Rx7N > =Ha10 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
