Tomcat 9.0.36
JDK 1.8.0_251
We are trying to use Tomcat JDBCRealm to access user credentials stored in
Oracle DB. The user password is hashed with a SALT and stored in a table.
*ISSUE:* We can authenticate using the BASIC auth-method while passing the
hashed string of the password but the DIGEST auth-method fails to create
the matching hash of the user password after configuring the realm-name
with the SALT and using the CredentialHandler
MessageDigestCredentialHandler.
The user HASH password is created using Oracle DBMS_CRYPTO by taking the
SALT combined with the password to create a raw string that is then HASHED
Using Tomcat DIGEST command, we can successfully create the user's matching
HASH on the command line as follows: *digest.bat -a SHA-1 -s 0
SALTpassword*
*SALTpassword:86a0e40af8c1a0e970f9432bee75bcc886145440* (the other formats
for using the SALT does not produce a matching HASH -
UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat
authentication form in the browser. The password hash is not matching. We
cannot tell how the form is using the SALT to hash the password to see
where the issue is.
Can you tell us exactly how Tomcat authentication form uses the SALT
configured in the web.xml file to create the password hash. If it hashes
the SALT and password as one string or uses another method?
server.xml
...
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@x.x.x.x:1521/test"
connectionName="dev"
connectionPassword="dev1"
userTable="USERS" userNameCol="USERNAME" userCredCol="PASSWORD"
userRoleTable="USER_ROLES" roleNameCol="ROLES" >
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-1" saltLength="0" iterations="1" />
</Realm>
web.xml
...
<login-config
<auth-method>DIGEST</auth-method>
<realm-name>SALT</realm-name>
</login-config
...
Thanks.
