-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian,
On 9/14/16 3:40 PM, Paquin, Brian wrote: > I was able to setup Tomcat 8.0.35 to use a SHA hashed password in > tomcat-users.xml (trying to secure the Manager app a bit more), > but the same setup does not work on 8.5.5. > > Is there something I need to change to get this to work again? Yes. > server.xml engine: <Engine name="Catalina" > defaultHost="localhost"> <Realm > className="org.apache.catalina.realm.LockOutRealm" failureCount="3" > lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600"> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> </Realm> <Host name="localhost" > appBase="webapps" unpackWARs="true" autoDeploy="true" > deployXML="true"> <Realm > className="org.apache.catalina.realm.MemoryRealm" digest="SHA" /> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="localhost_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > > Command to generate hash that was used as the user’s password in > tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA > my_password > > In 8.5.5, I can login to Manager if I replace the SHA hash with > the plaintext version of the password… > > I read through > https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but > still can’t get it to work. Have a look at http://tomcat.apache.org/migration-85.html, specifically http://tomcat.apache.org/migration-85.html#Internal_APIs Note that SHA passwords are no better than plaintext passwords. If you want to *actually* add some security, you need to at least use salted passwords. Better yet, use a PBKDF. You might want to have a look at this presentation: http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw /mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho 5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa 102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8 C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8 LXmKRsuWXsrTt6OOA9wZ =2Z2D -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org