Mark,
Thanks for your quick response. We will try your suggestion as this may be
the only option we have to get the users authenticated.
Thanks again.
On Thu, Jul 2, 2020 at 2:43 PM Mark Thomas <ma...@apache.org> wrote:
> On 02/07/2020 17:38, Hugh Roberts wrote:
> > Tomcat 9.0.36
> > JDK 1.8.0_251
> >
> > We are trying to use Tomcat JDBCRealm to access user credentials stored
> in
> > Oracle DB. The user password is hashed with a SALT and stored in a table.
> >
> > *ISSUE:* We can authenticate using the BASIC auth-method while passing
> the
> > hashed string of the password but the DIGEST auth-method fails to create
> > the matching hash of the user password after configuring the realm-name
> > with the SALT and using the CredentialHandler
> > MessageDigestCredentialHandler.
> >
> > The user HASH password is created using Oracle DBMS_CRYPTO by taking the
> > SALT combined with the password to create a raw string that is then
> HASHED
> >
> > Using Tomcat DIGEST command, we can successfully create the user's
> matching
> > HASH on the command line as follows: *digest.bat -a SHA-1 -s 0
> > SALTpassword*
> > *SALTpassword:86a0e40af8c1a0e970f9432bee75bcc886145440* (the other
> formats
> > for using the SALT does not produce a matching HASH -
> > UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat
> > authentication form in the browser. The password hash is not matching. We
> > cannot tell how the form is using the SALT to hash the password to see
> > where the issue is.
> >
> > Can you tell us exactly how Tomcat authentication form uses the SALT
> > configured in the web.xml file to create the password hash. If it hashes
> > the SALT and password as one string or uses another method?
>
> That will never work with HTTP DIGEST authentication. As per the Realm
> HowTo:
>
> <quote>
> CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {cleartext-password}
> ...
> If using digested passwords with DIGEST authentication, the cleartext
> used to generate the digest is different and the digest must use one
> iteration of the MD5 algorithm with no salt. In the examples above
> {cleartext-password} must be replaced with
> {username}:{realm}:{cleartext-password}.
> </quote>
>
> More details at
> http://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Digested_Passwords
>
> Note: Using DIGEST authentication is a separate decision to storing
> password hashes in the authentication database although if you do choose
> to do both then DIGEST auth places strict requirements on how you store
> the hashed passwords.
>
> If you want hashed passwords in the database then you'll need to:
> - User BASIC auth
> - Configure the CredentialHandler to match database (assuming this is
> posisble)
> - Require TLS for authentication
>
> Mark
>
>
> >
> >
> > server.xml
> > ...
> > <Realm className="org.apache.catalina.realm.JDBCRealm"
> > driverName="oracle.jdbc.driver.OracleDriver"
> > connectionURL="jdbc:oracle:thin:@x.x.x.x:1521/test"
> > connectionName="dev"
> > connectionPassword="dev1"
> > userTable="USERS" userNameCol="USERNAME" userCredCol="PASSWORD"
> > userRoleTable="USER_ROLES" roleNameCol="ROLES" >
> > <CredentialHandler
> > className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> > algorithm="SHA-1" saltLength="0" iterations="1" />
> > </Realm>
> >
> > web.xml
> > ...
> > <login-config
> > <auth-method>DIGEST</auth-method>
> > <realm-name>SALT</realm-name>
> > </login-config
> > ...
> >
> > Thanks.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
