-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sryan,
On 9/9/15 12:50 PM, Sreyan Chakravarty wrote: > Well I guess now its confirmed that it is a bug. Do you still need > the code ? No, I don't think I will. However, since you wrote your own CredentialHandler, you could merely patch it to check in the matches() method for null. Something like this: @Override public boolean matches(String inputCredentials, String storedCredentials) { if(null == storedCredentials) return false; return matchesSaltIterationsEncoded(inputCredentials, storedCredentials); } Then you can resume your testing. - -chris > On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Sreyan, > > On 9/8/15 6:31 AM, Sreyan Chakravarty wrote: >>>> Okay is if I have stored my password in my DB with SHA256 >>>> encryption, can the credential handler declared in the realm >>>> work if the it is declared with SHA512 ? > > No. SHA256 and SHA512 produce hashes of different sizes, so with > the same input, they will always produce different outputs. > > https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions > >>>> As far as I know it must be same algorithm, salt and >>>> iterations for the hash to be matched perfectly. > > Correct. > >>>> Now take my case-: >>>> >>>> <CredentialHandler className = >>>> "org.apache.catalina.realm.SecretKeyCredentialHandler" >>>> algorithm = "PBEWITHMD5ANDTRIPLEDES" /> >>>> >>>> Okay this my credential handler that I am using. In my DB >>>> the password is stored using PBEWITHHMACSHA384ANDAES_256. A >>>> completely different algorithm that the one specified before. >>>> So how come when I put in my user-id and password on my >>>> form-login page I am not getting an authentication error >>>> instead I am being forwarded to the protected resource. > > Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are > somehow aliases of each other? Also, it's possible that your > implementation of the algorithm is flawed. > > Try running the "mutate" method from a command-line driver on some > sample input to see what falls out. > >>>> It should use the algorithm in the CredentialHandler to >>>> mutate the password. Now don't tell me that two different >>>> algorithms offer the same hash. >>>> >>>> What is going on here ? > > My guess is a bug in the CredentialHandler itself. Can you post > some cod e? > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8JQpAAoJEBzwKT+lPKRYBlQP/2dedJFcZSsAGF+0uxRGIPfr vW26AOOaT/qPS88eQiCucufYOpPx180ifdIdnNVtLRZbIYyeQMBQiFTezMZM1Psx 2Ufuw1ZEPV0kZteptnDgGyipZKtDaxl/7hYY76O3yy8ki62Fa6TcRtR8UBPY0pJs kVYw9ZWqVVq8smkDomYAA/wwtGUzXORB3RN5yKGtKPx7roV00cLAoKQTv4ZlxfM5 LMuuorMx9jnWI9JXTlQdxi9ydQ1IlALrv9igbXE1/cYCnLrHtJVrE+bzvL4XPy+1 C9H8UdWT8Mqdn4qSIi5Zp0JDkRffvjVj4WA7V3Yt2+7HqlcZjEFDdAtN//DJ9T4A Zc/NJ73vXyEnFKt1S3mgqTIaGi7tr13VX8mXyFVSXzP/wvoQpCaOr0RYyIVvTdOc r42X1j5gq3tKTV1Hxe73SoM9iJivFvq6VFq+zvzv3fdNyHt1TukwM3E7nxnd6cXr euWj5IUc1+Z002xQBPKWjxAJFxsmd1cvM9A4zuhr70P2WcTsYSCbTn0ETB7Vtssb Rr1ED6jf2MKE/JIU8G6YKU5yuLqAnSaJleHOyWz/N8X5fUN5q4sfeV174UluS1WU +J017q60ZBrkEdzPB7bO/Jku1ThPHcFMbg5VfQQ+TTyN6AugQYfvasrvfBhu2wdL 3CMQ6Hf+ShnIB8aWI8zj =Sxyr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org