Jon,
On 8/24/21 19:51, [email protected] wrote:
Chris,
-----Original Message-----
From: Christopher Schultz <[email protected]>
Sent: Tuesday, August 24, 2021 5:52 PM
To: [email protected]
Subject: Re: UserDatabaseRealm and DIGEST
Jon,
On 8/24/21 12:53, [email protected] wrote:
-----Original Message-----
From: Mark Thomas <[email protected]>
Sent: Tuesday, August 24, 2021 11:41 AM
To: [email protected]
Subject: Re: UserDatabaseRealm and DIGEST
On 24/08/2021 17:28, [email protected] wrote:
Ok, so I've been reading thru the documentation on DIGEST but not
entirely sure I have it right. What is the best practice for DIGEST
and what algorithms are allowed, such as is sha-256 allowed?
First, a question of clarification.
Do you mean HTTP DIGEST authentication or do you mean storing
password hashes rather than the actual passwords in the
UserDatabaseRealm?
Mark >
I mean the Password Hashes rather than the actual password for the
UserDatabaseRealm.
You can use any algorithm that Java's MessageDigest supports.
I would recommend against using "Digest" credential storage and instead use
something more secure such as PBKDF2, which Tomcat also supports.
You might find this informative:
https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
l*latest-credential-
security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
In this case I am wanting to know the proper way to use DIGEST as we have some
folks with vendor applications that Use Tomcat that insist on using the
UserDatabaseRealm. I agree that using LDAP or something other is the better way
to go. We typically do NOT allow the use of the UserDatabaseRealm unless the
passwords are hashed with DIGEST. I just want to make sure that when we check
for compliance, we are approving the various means.
You can use any of those credential handlers with the UserDatabaseRealm.
For example PBKDF2 is perfectly usable. You just need to get user
passwords, run them through PBKDF2, and copy/paste them into
tomcat-users.xml (or wherever you have them).
There is a "digest.sh" script that comes with your Tomcat distribution.
Run it and you'll see the options. You can ask that to generate a
stored-credential for any plaintext password you want to use, and it
should work with a similarly-configured UserDatabaseRealm (and child
CredentialHandler).
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
