Thorsten,
On 11/15/22 15:29, Thorsten Schöning wrote:
Guten Tag Mark Thomas,
am Dienstag, 15. November 2022 um 20:44 schrieben Sie:
Assuming digesting passwords with one round of MD5 and no salt
isn't acceptable (I'd be surprised if it was) then you are probably
looking at HTTPS + BASIC + PBKDF2WithHmacSHA512.
Thanks for that clarification, it's exactly what I expected. My major
problem is that I have IT sec of some customer requiring me that the
Tomcat is configured compliant to CIS benchmark spec.
You should double-check the definition of "compliant to CIS benchmark
spec" because there is no way in hell that HTTP DIGEST is required. It's
a 100% broken standard that has been fixed by RFC 7616 but, as Mark
says, that RFC has been completely ignored by the world because TLS+HTTP
BASIC does just fine.
The reason it's broken is because it essentially requires that the
server store passwords in plaintext, or at least have access to them in
that form some way or another. Industry standards have progressed since
1993 and now everybody knows that storing recoverable passwords on the
server-side is completely forbidden.
This it's not possible to implement HTTP DIGEST in a way that is
compliant with any current standard.
One requirement is to not have cleartext passwords in
tomcat-users.xml, which is possible with your suggestion. But at the
same time config examples of that spec use auth-method DIGEST and as
we both seem to agree, that doesn't make too much sense. Other parts
of the spec don't make sense in this special aspect as well and simply
seem outdated and copied over from VERY old Tomcats.
So, my approach will be to use HTTPS + BASIC + PBKDF2WithHmacSHA512
most likely and simply tell IT sec that CIS benchmark stuff doesn't
work in that aspect and PBKDF2WithHmacSHA512 is superior. The used app
doesn plain-text auth on it's own as well and they need to trust HTTPS
as well, so no real problem, besided that vood spec.
I think it's perfectly reasonable for you to challenge the (implied?
requested? required?) use of HTTP DIGEST.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
