Re: How do auth-method BASIC and DIGEST play together with some credential helper?

Tue, 15 Nov 2022 11:45:36 -0800

Sorry, you are correct. There is no way to use PBKDF2WithHmacSHA512 in a Realm along with HTTP DIGEST auth.
If you want to use HTTP DIGEST auth and digested passwords on the server you have to use, quoting the Tomcat docs, "one iteration of the MD5 algorithm with no salt". 


RFC 7616 has added SHA2-256 and SHA2-512/256 to DIGEST auth. That is an 
improvement but still not great. Tomcat has not been updated to support 
those. Neither has any major browser. I suspect they never will.



Assuming digesting passwords with one round of MD5 and no salt isn't 
acceptable (I'd be surprised if it was) then you are probably looking at 
HTTPS + BASIC + PBKDF2WithHmacSHA512.


There are a few other options but they come with significant caveats:

- If all the users are Windows domain users then SPNEGO is an
  alternative.

- HTTPS + CLIENT_CERT is also an option but the management overhead of
  issuing clients with certificates is significant.

- It is possible to integrate OAuth2 via JASPIC. There is a library to
  do that for Google. There may be libraries for other providers.

Beyond that you would need to start looking at a 3rd party security library.

Mark




On 15/11/2022 18:23, Thorsten Schöning wrote:

Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 18:36 schrieben Sie:


Please go and read my email - and the links I provided - again.


I did, so feel free to tell me how I tell my browser to use my
plain-text password as PBKDF2WithHmacSHA512 digest with 100000
iterations, a key length of 256 bits and a salt of 16 bytes. Because
my browser's dialog asking for username and password doesn't allow me
to put any of these options in.

Are you sure to have understood that I already know how to store a
digest with those settings in tomcat-users.xml? That wasn't the
question. The question was this aspect from your own link:


When the authenticate() method of the Realm is called, the
(cleartext) password specified by the user is itself digested by the
same algorithm[...]


There is no cleartext password from the user from the browser if
"<auth-method>DIGEST</auth-method>" is used. The cleartext password
needs to be available in tomcat-users.xml, but isn't when using
PBKDF2WithHmacSHA512.

Mit freundlichen Grüßen

Thorsten Schöning



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to