Jason,
On 3/8/16 8:44 PM, Jason Overland wrote:
> Okay, so I checked out Tomcat 8.0.32 from source control. I then
> reverted MemoryRealm's authenticate method to how it was in 7.0.26 and
> built Tomcat and now my authentication works. This of course is not a
> solution, but it obviates most of my other questions. I guess the
> important question is: how do I set the CredentialHandler on the
> MemoryRealm?
The way you are setting the CredentialHandler is correct:
>> <Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA">
>> <CredentialHandler algorithm="SHA"
>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"/>
>> </Realm>
You actually don't need to specify the CredentialHandler if you specify
the "digest" attribute, since Tomcat will synthesize a
MessageDigestCredentialHandler for you and use the "digest" as the
"algorithm". But it doesn't hurt to do what you have done.
> For authentication our configuration is using a MemoryRealm with
> digest="SHA". We are storing usernames and passwords in a
> tomcat-users.xml file. We are using a jaas.config which specifies to
> use a org.apache.catalina.realm.JAASMemoryLoginModule. We have our
> own implementation of a CallbackModule.
I must admit I'm not sure how the JAAS configuration fits into all this
(I simply have no JAAS experience). But I suspect that since
JAASMemoryLoginRealm extends RealmBase, it needs to be configured similarly.
The <Realm> you have in server.xml looks to be configured correctly, but
I'm not sure it's being used if JAAS is in play. I wouldn't be surprised
if JAAS is creating a separate instance of the JAASMemoryLoginRealm
(which is a MemoryRealm) and never setting any of those properties.
It looks like the best way to set those properties is via the "options"
for the realm:
>> jaas.config:
>> /** JAAS Login Configuration for the Application **/
>>
>> JAASTomcat {
>> org.apache.catalina.realm.JAASMemoryLoginModule required debug=true;
>> };
Instead of simply "debug=true" for the options, we might want to add
"digest=SHA" and then handle it in the initializer for JAASMemoryLoginRealm.
I think the reason that this works in the older code is that the default
algorithm of SHA is built-into the MemoryRealm and doesn't require the
new CredentialHandler stuff. The new method for creating a
CredentialHandler without actually specifying one (i.e. digest="SHA")
requires that the "digest" actually be set to something. Since that's
not happening, you get an NPE.
Since you are willing to build your Tomcat from source, can I give you a
patch to test?
This is definitely a bug, please file it in Bugzilla if you wouldn't mind:
https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
