Азат,
On 10/29/23 20:45, Усманов Азат Анварович wrote:
Hi everyone!I'm trying to test CredentialHandeler functionality on our test
server (Tomcat 9.0.64) inside the web-app
I Our realm is defined as follows( excerpt from server.xml
)
<Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName"
userCredCol="PWD" userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users">
<CredentialHandler
className="org.apache.catalina.realm.NestedCredentialHandler">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" />
</CredentialHandler>
</Realm>
Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was
hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic
login controller code (LoginCheckServlet)
LoginCheckServlet
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
...
String userName = request.getParameter("j_username");
String password = request.getParameter("j_password");
HttpSession session = request.getSession();
UserRecord user=... //load data from db
if
(user.checkCorrectPassword(password,session.getServletContext())) {
CredentialHandler
cr=Security.getCredentialHandler(getServletContext());
System.out.println(cr.mutate(password));// hoping
to see my password displayed as pbkdf2 hash
.....
}
Security.getCredentialHandler
public static CredentialHandler getCredentialHandler(final ServletContext
context) {
System.out.println("context"+context) ;// prints
contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
System.out.println("context vs"+context.getMajorVersion()); //
prints 4
System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
prints ATRIB null
return (CredentialHandler)
context.getAttribute(Globals.CREDENTIAL_HANDLER);
}
Your code and configuration looks reasonable to me.
So basically it always return null when trying to access
CredentialHandler attribute inside Security.getCredentialHandler
method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:
"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"
There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
