Thorsten,
On 11/16/22 03:20, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:50 schrieben Sie:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
</Realm>
That worked right from the start, I had a DIGEST in tomcat-users.xml
and was able to login with plain-text password provided to the
browser.
The use of the word "digest" is overloaded, particularly for this
discussion. Please try to use "HTTP DIGEST" when you mean the
on-the-wire authentication protocol and "hashed credential" when you
mean the stuff you drop into an authentication database. It will make
things a lot easier to understand for all parties involved.
<Realm className="org.apache.catalina.realm.LockOutRealm">
...
</Realm>
Adding that didn't work, I was only able to login with providing the
DIGEST of tomcat-users.xml as password to the browser, which actually
made it a plain-text password at the server. The following fit as well
to what I recognized:
https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm
BUT: I gave things an additional try now and especially after the
discussion about auth-method BASIC vs. DIGEST and login DOES work now!
So both the UserDatabase realm and the LockOutRealm as I suggested above
are now working as expected?
I most likely not only added LockOutRealm at some point, but switched
from BASIC auth to DIGEST as well, because I've read that in the CIS
spec I worked with. That combination can't work and at some point I
most likely became frustrated and changed DIGEST back to BASIC, while
having changed other aspects of the realms already or might have
simply forgotten to change passwords vs. digests in tomcat-users.xml
or whatever.
So, I guess the reason for the warnign about an ignored credential
helper in LockOutRealm simply is because it doesn't handle credentials
at all? And as LockOutRealm forwards actual login to its children
THEIR assigned credential handlers are properly taken into account?
Yes, no CombinedRealm ever uses its configured CredentialHandler, which
is why the warning is shown.
There is a very specific case in which you WANT to configure a
CredentialHandler for a CombinedRealm, and that's when your application
is using the CredentialHandler directy for certain things. That doesn't
seem to be your use-case, so I won't detail that, here. If you re-visit
the SO question you posted yesterday, you'll see that I posted an Answer
which describes that a little more.
So whatever the SO-guy sees, might have a different root cause, as it
was the case for me.
Thanks for triggering me to try again! Might have been to late already
at Monday as well. :-)
I'm glad it's working.
After reading Rémy's initial response, I was thinking that something
needed to be done, but there is no problem IMO. If you need a
CredentialHandler in your application, you can still use LockOutRealm
(or any other CombinedRealm); you just have to specify a
CredentialHandler to use on that outer Realm and all is well.
And you have to ignore that warning.