Thank you Chris! Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President
Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Thursday, August 26, 2021 1:49 PM > To: users@tomcat.apache.org > Subject: Re: UserDatabaseRealm and DIGEST > > Jon, > > On 8/24/21 19:51, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Chris, > > > >> -----Original Message----- > >> From: Christopher Schultz <ch...@christopherschultz.net> > >> Sent: Tuesday, August 24, 2021 5:52 PM > >> To: users@tomcat.apache.org > >> Subject: Re: UserDatabaseRealm and DIGEST > >> > >> Jon, > >> > >> On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>>> -----Original Message----- > >>>> From: Mark Thomas <ma...@apache.org> > >>>> Sent: Tuesday, August 24, 2021 11:41 AM > >>>> To: users@tomcat.apache.org > >>>> Subject: Re: UserDatabaseRealm and DIGEST > >>>> > >>>> On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>>>> Ok, so I've been reading thru the documentation on DIGEST but not > >>>> entirely sure I have it right. What is the best practice for DIGEST > >>>> and what algorithms are allowed, such as is sha-256 allowed? > >>>> > >>>> First, a question of clarification. > >>>> > >>>> Do you mean HTTP DIGEST authentication or do you mean storing > >>>> password hashes rather than the actual passwords in the > >> UserDatabaseRealm? > >>>> > >>>> Mark > > >>> I mean the Password Hashes rather than the actual password for the > >> UserDatabaseRealm. > >> > >> You can use any algorithm that Java's MessageDigest supports. > >> > >> I would recommend against using "Digest" credential storage and > >> instead use something more secure such as PBKDF2, which Tomcat also > supports. > >> > >> You might find this informative: > >> > https://urldefense.com/v3/__https://tomcat.apache.org/presentations.h > >> tm > >> l*latest-credential- > >> > security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A > >> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$ > >> > >> -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > In this case I am wanting to know the proper way to use DIGEST as we have > some folks with vendor applications that Use Tomcat that insist on using the > UserDatabaseRealm. I agree that using LDAP or something other is the better > way to go. We typically do NOT allow the use of the UserDatabaseRealm > unless the passwords are hashed with DIGEST. I just want to make sure that > when we check for compliance, we are approving the various means. > > You can use any of those credential handlers with the UserDatabaseRealm. > For example PBKDF2 is perfectly usable. You just need to get user > passwords, run them through PBKDF2, and copy/paste them into tomcat- > users.xml (or wherever you have them). > > There is a "digest.sh" script that comes with your Tomcat distribution. > Run it and you'll see the options. You can ask that to generate a stored- > credential for any plaintext password you want to use, and it should work > with a similarly-configured UserDatabaseRealm (and child > CredentialHandler). > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org