Thorsten,
On 11/16/22 02:28, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:00 schrieben Sie:
Thorsten, what makes you say "it doesn't work" and "LockoutRealm
ignores any credential handler"? When you say "it doesn't work"...
what DOES it do?
IGNORES because it logs a corresponding warning on explicitly
configured credential handlers for the LockOutRealm itself and uses a
hard-coded default handler, which only allows plain-text passwords in
tomcat-users.xml.
Does it ignore it? Reading the code suggests that it does not ignore it.
Or to be more specific, whatever is input intoc
tomcat-users.xml is simply used as plain-text password, so adding a
digest based on PBKDF2WithHmacSHA512 won't let you login with the real
plain-text provided to the browser by the user. But it allow login
when providing the digest as plain-text password.
So if you copy/paste the junk that's shown in tomcat-users.xml as the
user's "password" (really the PBKDF2 algorithm's output) when challenged
by the browser, it lets you in?
The code for LockOutRealm and CombinedRealm doesn't look like it works
that way. Are you sure you have your Tomcat configured the way you think
you do?
If credential handlers are configured for child realms, those are
simply ignored as well, even without any warning this time. Which
makes it additionally difficult to debug this whole setup.
I think we might need to see a super-simple setup of this, because your
description of experience does not match the way that the code is
written, nor the way in which it's intended to work.
Can you prepare a configuration for the "examples" web application which
demonstrates what you are saying, here, and post it somewhere we can
find it?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
