Roberto,
Welcome to the Tomcat users list! (See below...)
On 2/19/21 17:14, Roberto Simoni wrote:
Hi, I'm trying to configure digested password in an application. Just for
example I was trying with MD5.
First of all:
* OS: CentOS Linux 7 (Core)
* Tomcat full version: 9.0.43
Thanks for that.
I configured the Host in this way:
<Host name="tradx.sixro.io" debug="0" appBase="webapps"
unpackWARs="true"
autoDeploy="true">
<Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx
"
crossContext="false" reloadable="true">
You don't want your <Context> defined here.
http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context
<Resource name="jdbc/mydb" auth="Container"
type="javax.sql.DataSource"
maxTotal="10" maxIdle="5" maxWaitMillis="5000"
username="myusr" password="mypwd"
driverClassName="org.mariadb.jdbc.Driver"
url="jdbc:mariadb://localhost:3306/mydb"/>
<Realm resourceName="DbRealm"
className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/mydb" localDataSource="true"
userTable="USERS" userNameCol="USER_NAME"
userCredCol="PASSWORD"
userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME"
debug="99">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" ></CredentialHandler>
Note that MD5 is super, super sucky.
</Realm>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/home/sixroio/sixro.io/tomcat/logs"
prefix="tradx.sixro.io_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
</Context>
</Host>
The authentication fails. For testing purposes I created a username usr
with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b
Enabling details in logs I found these rows:
19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /
19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.authenticate Digest :
3038dd372061bee3cfa5e1a510bea637 Username:usr
ClientDigest:3038dd372061bee3cfa5e1a510bea637
nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
cnonce:c5513c3d36b6b643 qop:auth
realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
digest:a66b50234577cb13076d3a117102c955
19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
You are using HTTP-Digest authentication which is not what you have
configured for your CredentialHandler.
There is some confusing naming, here. Java has a class called
MessageDigest which takes bytes and produces signatures. In the
industry, it's sometimes now called "digesting" which is IMO confusing
and wrong. It would be better to call it "hashing" because it doesn't
conflict with other uses of that word.
HTTP-Digest is an authentication system which does some hand-wavy
magic[1] to hide your password from going over the network if you are
using unencrypted channels. This was great back in 1995 but it's a bad
system IMO because the server needs to have your cleartext password in
order to perform authentication. There are ways to store "not the
cleartext" on the server-side, but they are even more awkward.
I would recommend:
1. Use TLS for security
2. Use HTTP Basic authentication for simplicity
3. Don't use MD5 :)
You can't securely use #2 without #1.
To change from HTTP-Digest to HTTP-Basic, just change your web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
You are still using "digested"/"hashed" passwords on the server-side, so
don't worry about that.
Might I suggest that you consider using a better hashing algorithm than
MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or
bcrypt?
I'd recommend reading this:
https://tomcat.apache.org/presentations.html#latest-credential-security
Hope that helps,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
