Thorsten,
On 11/16/22 02:36, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:17 schrieben Sie:
You should double-check the definition of "compliant to CIS
benchmark spec" because there is no way in hell that HTTP DIGEST is
required.[...]
The spec doesn't tell me exactly to use auth-method DIGEST, but their
example configs and stuff use exactly that.
$ grep -i <login-config>[.\n]*<auth-method>DIGEST</auth-method>[.\n]*<realmname>
UserDatabase</realm-name>[.\n]*</login-config>
$CATALINA_HOME/webapps/manager/WEB-INF/web.xml
And here it comes:
If a Realm exists without a digest attribute or without a value for
the digest attribute, this is a fail.
I see. This is a *super* old document, then. Because that suggests you
can use MD5 which is not acceptable as a hashing algorithm in 2022.
That sentence is for Tomcat 9, in which that attribute has been removed
as well already, didn't it? They don't even mention any credential
handler possible in Tomcat at all, even those are superior than using
the digest attribute.
Agreed. Tomcat 9 should still support "digest" simply due to Tomcat 9's
long history. I believe "digest" was only removed in Tomcat 10 a later.
So this whole abstract seems broken in the CIS spec to me and I just
needed to collect input how to deal with that. OTOH, thinking about
it again, the customer says to run automatic CIS checks using some app
and that didn't complain about auth-method BASIC yet. So using that
with PBKDF2WithHmacSHA512 seems to be fine even more.
I should hope that, with an explanation, you will be able to get an
exemption for that rather outdated rule.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
