Yes but that requires implementing your own credential handler. But the
default one will still have the bug. Right now I am thinking of using an
authentication framework like Apache Shiro.
On Thu, Sep 10, 2015 at 1:48 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sryan,
>
> On 9/9/15 12:50 PM, Sreyan Chakravarty wrote:
> > Well I guess now its confirmed that it is a bug. Do you still need
> > the code ?
>
> No, I don't think I will.
>
> However, since you wrote your own CredentialHandler, you could merely
> patch it to check in the matches() method for null. Something like this:
>
> @Override
> public boolean matches(String inputCredentials,
> String storedCredentials) {
> if(null == storedCredentials)
> return false;
>
> return matchesSaltIterationsEncoded(inputCredentials,
> storedCredentials);
> }
>
> Then you can resume your testing.
>
> - -chris
>
> > On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Sreyan,
> >
> > On 9/8/15 6:31 AM, Sreyan Chakravarty wrote:
> >>>> Okay is if I have stored my password in my DB with SHA256
> >>>> encryption, can the credential handler declared in the realm
> >>>> work if the it is declared with SHA512 ?
> >
> > No. SHA256 and SHA512 produce hashes of different sizes, so with
> > the same input, they will always produce different outputs.
> >
> > https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions
> >
> >>>> As far as I know it must be same algorithm, salt and
> >>>> iterations for the hash to be matched perfectly.
> >
> > Correct.
> >
> >>>> Now take my case-:
> >>>>
> >>>> <CredentialHandler className =
> >>>> "org.apache.catalina.realm.SecretKeyCredentialHandler"
> >>>> algorithm = "PBEWITHMD5ANDTRIPLEDES" />
> >>>>
> >>>> Okay this my credential handler that I am using. In my DB
> >>>> the password is stored using PBEWITHHMACSHA384ANDAES_256. A
> >>>> completely different algorithm that the one specified before.
> >>>> So how come when I put in my user-id and password on my
> >>>> form-login page I am not getting an authentication error
> >>>> instead I am being forwarded to the protected resource.
> >
> > Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are
> > somehow aliases of each other? Also, it's possible that your
> > implementation of the algorithm is flawed.
> >
> > Try running the "mutate" method from a command-line driver on some
> > sample input to see what falls out.
> >
> >>>> It should use the algorithm in the CredentialHandler to
> >>>> mutate the password. Now don't tell me that two different
> >>>> algorithms offer the same hash.
> >>>>
> >>>> What is going on here ?
> >
> > My guess is a bug in the CredentialHandler itself. Can you post
> > some cod e?
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJV8JQpAAoJEBzwKT+lPKRYBlQP/2dedJFcZSsAGF+0uxRGIPfr
> vW26AOOaT/qPS88eQiCucufYOpPx180ifdIdnNVtLRZbIYyeQMBQiFTezMZM1Psx
> 2Ufuw1ZEPV0kZteptnDgGyipZKtDaxl/7hYY76O3yy8ki62Fa6TcRtR8UBPY0pJs
> kVYw9ZWqVVq8smkDomYAA/wwtGUzXORB3RN5yKGtKPx7roV00cLAoKQTv4ZlxfM5
> LMuuorMx9jnWI9JXTlQdxi9ydQ1IlALrv9igbXE1/cYCnLrHtJVrE+bzvL4XPy+1
> C9H8UdWT8Mqdn4qSIi5Zp0JDkRffvjVj4WA7V3Yt2+7HqlcZjEFDdAtN//DJ9T4A
> Zc/NJ73vXyEnFKt1S3mgqTIaGi7tr13VX8mXyFVSXzP/wvoQpCaOr0RYyIVvTdOc
> r42X1j5gq3tKTV1Hxe73SoM9iJivFvq6VFq+zvzv3fdNyHt1TukwM3E7nxnd6cXr
> euWj5IUc1+Z002xQBPKWjxAJFxsmd1cvM9A4zuhr70P2WcTsYSCbTn0ETB7Vtssb
> Rr1ED6jf2MKE/JIU8G6YKU5yuLqAnSaJleHOyWz/N8X5fUN5q4sfeV174UluS1WU
> +J017q60ZBrkEdzPB7bO/Jku1ThPHcFMbg5VfQQ+TTyN6AugQYfvasrvfBhu2wdL
> 3CMQ6Hf+ShnIB8aWI8zj
> =Sxyr
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
