I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is still null ________________________________ От: Christopher Schultz <ch...@christopherschultz.net> Отправлено: 30 октября 2023 г. 18:52 Кому: Tomcat Users List <users@tomcat.apache.org>; Усманов Азат Анварович <usma...@ieml.ru> Тема: Re: Accessing Credential handler inside the web application always returns null
Азат, On 10/29/23 20:45, Усманов Азат Анварович wrote: > Hi everyone!I'm trying to test CredentialHandeler functionality on our > test server (Tomcat 9.0.64) inside the web-app > I Our realm is defined as follows( excerpt from server.xml > ) > <Realm className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" > userNameCol="UserName" userRoleTable="educ.ad_UserRoles" > userTable="educ.ad_Users"> > <CredentialHandler > className="org.apache.catalina.realm.NestedCredentialHandler"> > <CredentialHandler > className="org.apache.catalina.realm.SecretKeyCredentialHandler"/> > <CredentialHandler > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > algorithm="MD5" /> > </CredentialHandler> > </Realm> > Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was > hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic > login controller code (LoginCheckServlet) > LoginCheckServlet > > protected void doGet(HttpServletRequest request, HttpServletResponse > response) throws ServletException, IOException { > ... > String userName = request.getParameter("j_username"); > String password = request.getParameter("j_password"); > HttpSession session = request.getSession(); > > UserRecord user=... //load data from db > if > (user.checkCorrectPassword(password,session.getServletContext())) { > CredentialHandler > cr=Security.getCredentialHandler(getServletContext()); > System.out.println(cr.mutate(password));// > hoping to see my password displayed as pbkdf2 hash > > ..... > } > > Security.getCredentialHandler > > public static CredentialHandler getCredentialHandler(final > ServletContext context) { > System.out.println("context"+context) ;// prints > contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7 > System.out.println("context vs"+context.getMajorVersion()); // > prints 4 > > System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always > prints ATRIB null > return (CredentialHandler) > context.getAttribute(Globals.CREDENTIAL_HANDLER); > } Your code and configuration looks reasonable to me. > So basically it always return null when trying to access > CredentialHandler attribute inside Security.getCredentialHandler > method,Any idea why it might be the case ? Are you able to re-try with Tomcat 9.0.70 or later? There is a changelog[1] entry which may be important for you: " Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm) " There was a problem specifically with the NestedCredentialHandler, I think, which was not working as expected. 9.0.70 includes a fix that should improve things for you. -chris [1] https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)