Yes but that requires implementing your own credential handler. But the default one will still have the bug. Right now I am thinking of using an authentication framework like Apache Shiro.
On Thu, Sep 10, 2015 at 1:48 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sryan, > > On 9/9/15 12:50 PM, Sreyan Chakravarty wrote: > > Well I guess now its confirmed that it is a bug. Do you still need > > the code ? > > No, I don't think I will. > > However, since you wrote your own CredentialHandler, you could merely > patch it to check in the matches() method for null. Something like this: > > @Override > public boolean matches(String inputCredentials, > String storedCredentials) { > if(null == storedCredentials) > return false; > > return matchesSaltIterationsEncoded(inputCredentials, > storedCredentials); > } > > Then you can resume your testing. > > - -chris > > > On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sreyan, > > > > On 9/8/15 6:31 AM, Sreyan Chakravarty wrote: > >>>> Okay is if I have stored my password in my DB with SHA256 > >>>> encryption, can the credential handler declared in the realm > >>>> work if the it is declared with SHA512 ? > > > > No. SHA256 and SHA512 produce hashes of different sizes, so with > > the same input, they will always produce different outputs. > > > > https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions > > > >>>> As far as I know it must be same algorithm, salt and > >>>> iterations for the hash to be matched perfectly. > > > > Correct. > > > >>>> Now take my case-: > >>>> > >>>> <CredentialHandler className = > >>>> "org.apache.catalina.realm.SecretKeyCredentialHandler" > >>>> algorithm = "PBEWITHMD5ANDTRIPLEDES" /> > >>>> > >>>> Okay this my credential handler that I am using. In my DB > >>>> the password is stored using PBEWITHHMACSHA384ANDAES_256. A > >>>> completely different algorithm that the one specified before. > >>>> So how come when I put in my user-id and password on my > >>>> form-login page I am not getting an authentication error > >>>> instead I am being forwarded to the protected resource. > > > > Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are > > somehow aliases of each other? Also, it's possible that your > > implementation of the algorithm is flawed. > > > > Try running the "mutate" method from a command-line driver on some > > sample input to see what falls out. > > > >>>> It should use the algorithm in the CredentialHandler to > >>>> mutate the password. Now don't tell me that two different > >>>> algorithms offer the same hash. > >>>> > >>>> What is going on here ? > > > > My guess is a bug in the CredentialHandler itself. Can you post > > some cod e? > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV8JQpAAoJEBzwKT+lPKRYBlQP/2dedJFcZSsAGF+0uxRGIPfr > vW26AOOaT/qPS88eQiCucufYOpPx180ifdIdnNVtLRZbIYyeQMBQiFTezMZM1Psx > 2Ufuw1ZEPV0kZteptnDgGyipZKtDaxl/7hYY76O3yy8ki62Fa6TcRtR8UBPY0pJs > kVYw9ZWqVVq8smkDomYAA/wwtGUzXORB3RN5yKGtKPx7roV00cLAoKQTv4ZlxfM5 > LMuuorMx9jnWI9JXTlQdxi9ydQ1IlALrv9igbXE1/cYCnLrHtJVrE+bzvL4XPy+1 > C9H8UdWT8Mqdn4qSIi5Zp0JDkRffvjVj4WA7V3Yt2+7HqlcZjEFDdAtN//DJ9T4A > Zc/NJ73vXyEnFKt1S3mgqTIaGi7tr13VX8mXyFVSXzP/wvoQpCaOr0RYyIVvTdOc > r42X1j5gq3tKTV1Hxe73SoM9iJivFvq6VFq+zvzv3fdNyHt1TukwM3E7nxnd6cXr > euWj5IUc1+Z002xQBPKWjxAJFxsmd1cvM9A4zuhr70P2WcTsYSCbTn0ETB7Vtssb > Rr1ED6jf2MKE/JIU8G6YKU5yuLqAnSaJleHOyWz/N8X5fUN5q4sfeV174UluS1WU > +J017q60ZBrkEdzPB7bO/Jku1ThPHcFMbg5VfQQ+TTyN6AugQYfvasrvfBhu2wdL > 3CMQ6Hf+ShnIB8aWI8zj > =Sxyr > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >