RE: Accessing Credential handler inside the web application always returns null

[Усманов Азат Анварович]

I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler 
is still null
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List <users@tomcat.apache.org>; Усманов Азат Анварович 
<usma...@ieml.ru>
Тема: Re: Accessing Credential handler inside the web application always 
returns null

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality on    our 
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
>      <Realm className="org.apache.catalina.realm.DataSourceRealm" 
> dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
> userTable="educ.ad_Users">
>     <CredentialHandler 
> className="org.apache.catalina.realm.NestedCredentialHandler">
> <CredentialHandler  
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>   <CredentialHandler 
> className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
> algorithm="MD5" />
>   </CredentialHandler>
>     </Realm>
> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
> hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic 
>  login  controller code  (LoginCheckServlet)
> LoginCheckServlet
>
>       protected void doGet(HttpServletRequest request, HttpServletResponse 
> response) throws ServletException, IOException {
> ...
>       String userName = request.getParameter("j_username");
>             String password = request.getParameter("j_password");
>       HttpSession session = request.getSession();
>             
>                    UserRecord user=... //load data from db
>                         if 
> (user.checkCorrectPassword(password,session.getServletContext())) {
>                               CredentialHandler 
> cr=Security.getCredentialHandler(getServletContext());
>                               System.out.println(cr.mutate(password));// 
> hoping to see my password displayed as pbkdf2 hash
>
> .....
> }
>
> Security.getCredentialHandler
>
>       public static CredentialHandler getCredentialHandler(final 
> ServletContext context) {
>             System.out.println("context"+context) ;// prints 
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
>             System.out.println("context vs"+context.getMajorVersion()); // 
> prints 4
>             
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
>   prints ATRIB null
>             return (CredentialHandler) 
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
>             }

Your code and configuration looks reasonable to me.

> So basically it always  return null  when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:

"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"

There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.

-chris


[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)