Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to not store plain-text passwords. So consider the following user database and credential helper being used to stored hashed passwords in "tomcat-users.xml".
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"> > <CredentialHandler > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="100000" > keyLength="256" > saltLength="16" > /> > </Realm> And here's where things become interesting, because the docs of the CIS benchmark PDF are using a DIGEST auth-method instead of my used BASIC one. > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>interner Bereich</realm-name> > </login-config> From my understanding, the BASIC auth-method results in the browser sending plain-text passwords to the server, which can than be processed by some credential helper to compare the results to what is stored in tomcat-users.xml. OTOH, when using DIGEST, the browser won't ever send plain-text passwords and hashes already which needs to be compared by Tomcat. To be able to calculate the same hash, AFAIK Tomcat needs to plain-text password itself as well. But because of DIGEST auth-method and the already hashed password in tomcat-users.xml, it can't have access ot the plain-text password. That's the overall goal of using the credential helper in this case. Additionally, from my understanding DIGEST auth-method has nothing to do with any digest config of any realm or credential helper. It's really distinguishing on HTTP level how browser and Tomcat share credentials. So, is it even possible to use SecretKeyCredentialHandler and auth-method DIGEST together or am I required to use BASIC? If DIGEST is supported, how does that and credential helper work together without plain-text password available at the server at all? Of course there's TLS in place, it's really about to follow the CIS benchmark as much as possible for some customer requirements. But some parts of that CIS benchmark don't make too much sense to me. Thanks for your help! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web: http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
