Jason, On 3/8/16 8:44 PM, Jason Overland wrote: > Okay, so I checked out Tomcat 8.0.32 from source control. I then > reverted MemoryRealm's authenticate method to how it was in 7.0.26 and > built Tomcat and now my authentication works. This of course is not a > solution, but it obviates most of my other questions. I guess the > important question is: how do I set the CredentialHandler on the > MemoryRealm?
The way you are setting the CredentialHandler is correct: >> <Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA"> >> <CredentialHandler algorithm="SHA" >> className="org.apache.catalina.realm.MessageDigestCredentialHandler"/> >> </Realm> You actually don't need to specify the CredentialHandler if you specify the "digest" attribute, since Tomcat will synthesize a MessageDigestCredentialHandler for you and use the "digest" as the "algorithm". But it doesn't hurt to do what you have done. > For authentication our configuration is using a MemoryRealm with > digest="SHA". We are storing usernames and passwords in a > tomcat-users.xml file. We are using a jaas.config which specifies to > use a org.apache.catalina.realm.JAASMemoryLoginModule. We have our > own implementation of a CallbackModule. I must admit I'm not sure how the JAAS configuration fits into all this (I simply have no JAAS experience). But I suspect that since JAASMemoryLoginRealm extends RealmBase, it needs to be configured similarly. The <Realm> you have in server.xml looks to be configured correctly, but I'm not sure it's being used if JAAS is in play. I wouldn't be surprised if JAAS is creating a separate instance of the JAASMemoryLoginRealm (which is a MemoryRealm) and never setting any of those properties. It looks like the best way to set those properties is via the "options" for the realm: >> jaas.config: >> /** JAAS Login Configuration for the Application **/ >> >> JAASTomcat { >> org.apache.catalina.realm.JAASMemoryLoginModule required debug=true; >> }; Instead of simply "debug=true" for the options, we might want to add "digest=SHA" and then handle it in the initializer for JAASMemoryLoginRealm. I think the reason that this works in the older code is that the default algorithm of SHA is built-into the MemoryRealm and doesn't require the new CredentialHandler stuff. The new method for creating a CredentialHandler without actually specifying one (i.e. digest="SHA") requires that the "digest" actually be set to something. Since that's not happening, you get an NPE. Since you are willing to build your Tomcat from source, can I give you a patch to test? This is definitely a bug, please file it in Bugzilla if you wouldn't mind: https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org