-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sryan,
On 9/9/15 12:50 PM, Sreyan Chakravarty wrote:
> Well I guess now its confirmed that it is a bug. Do you still need
> the code ?
No, I don't think I will.
However, since you wrote your own CredentialHandler, you could merely
patch it to check in the matches() method for null. Something like this:
@Override
public boolean matches(String inputCredentials,
String storedCredentials) {
if(null == storedCredentials)
return false;
return matchesSaltIterationsEncoded(inputCredentials,
storedCredentials);
}
Then you can resume your testing.
- -chris
> On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Sreyan,
>
> On 9/8/15 6:31 AM, Sreyan Chakravarty wrote:
>>>> Okay is if I have stored my password in my DB with SHA256
>>>> encryption, can the credential handler declared in the realm
>>>> work if the it is declared with SHA512 ?
>
> No. SHA256 and SHA512 produce hashes of different sizes, so with
> the same input, they will always produce different outputs.
>
> https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions
>
>>>> As far as I know it must be same algorithm, salt and
>>>> iterations for the hash to be matched perfectly.
>
> Correct.
>
>>>> Now take my case-:
>>>>
>>>> <CredentialHandler className =
>>>> "org.apache.catalina.realm.SecretKeyCredentialHandler"
>>>> algorithm = "PBEWITHMD5ANDTRIPLEDES" />
>>>>
>>>> Okay this my credential handler that I am using. In my DB
>>>> the password is stored using PBEWITHHMACSHA384ANDAES_256. A
>>>> completely different algorithm that the one specified before.
>>>> So how come when I put in my user-id and password on my
>>>> form-login page I am not getting an authentication error
>>>> instead I am being forwarded to the protected resource.
>
> Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are
> somehow aliases of each other? Also, it's possible that your
> implementation of the algorithm is flawed.
>
> Try running the "mutate" method from a command-line driver on some
> sample input to see what falls out.
>
>>>> It should use the algorithm in the CredentialHandler to
>>>> mutate the password. Now don't tell me that two different
>>>> algorithms offer the same hash.
>>>>
>>>> What is going on here ?
>
> My guess is a bug in the CredentialHandler itself. Can you post
> some cod e?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV8JQpAAoJEBzwKT+lPKRYBlQP/2dedJFcZSsAGF+0uxRGIPfr
vW26AOOaT/qPS88eQiCucufYOpPx180ifdIdnNVtLRZbIYyeQMBQiFTezMZM1Psx
2Ufuw1ZEPV0kZteptnDgGyipZKtDaxl/7hYY76O3yy8ki62Fa6TcRtR8UBPY0pJs
kVYw9ZWqVVq8smkDomYAA/wwtGUzXORB3RN5yKGtKPx7roV00cLAoKQTv4ZlxfM5
LMuuorMx9jnWI9JXTlQdxi9ydQ1IlALrv9igbXE1/cYCnLrHtJVrE+bzvL4XPy+1
C9H8UdWT8Mqdn4qSIi5Zp0JDkRffvjVj4WA7V3Yt2+7HqlcZjEFDdAtN//DJ9T4A
Zc/NJ73vXyEnFKt1S3mgqTIaGi7tr13VX8mXyFVSXzP/wvoQpCaOr0RYyIVvTdOc
r42X1j5gq3tKTV1Hxe73SoM9iJivFvq6VFq+zvzv3fdNyHt1TukwM3E7nxnd6cXr
euWj5IUc1+Z002xQBPKWjxAJFxsmd1cvM9A4zuhr70P2WcTsYSCbTn0ETB7Vtssb
Rr1ED6jf2MKE/JIU8G6YKU5yuLqAnSaJleHOyWz/N8X5fUN5q4sfeV174UluS1WU
+J017q60ZBrkEdzPB7bO/Jku1ThPHcFMbg5VfQQ+TTyN6AugQYfvasrvfBhu2wdL
3CMQ6Hf+ShnIB8aWI8zj
=Sxyr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
