Hi everyone! CredentialHandler became not null, as soon as I transferred Realm
definition from server.xml to context.xml(after checking the source code) .I've
been able to see the new pbkdf2 version of the given clear text password even
with old 9.0.64 version. I was wondering is the necessity to have realm
defined inside context. xml for accessing CredentialHandler a design decision
or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
documentation. Perhaps it should be added in the docs.
________________________________
От: Усманов Азат Анварович <usma...@ieml.ru>
Отправлено: 30 октября 2023 г. 20:25
Кому: users@tomcat.apache.org <users@tomcat.apache.org>
Тема: RE: Accessing Credential handler inside the web application always
returns null
I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler
is still null
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List <users@tomcat.apache.org>; Усманов Азат Анварович
<usma...@ieml.ru>
Тема: Re: Accessing Credential handler inside the web application always
returns null
Азат,
On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality on our
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD"
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles"
> userTable="educ.ad_Users">
> <CredentialHandler
> className="org.apache.catalina.realm.NestedCredentialHandler">
> <CredentialHandler
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
> <CredentialHandler
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="MD5" />
> </CredentialHandler>
> </Realm>
> Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was
> hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic
> login controller code (LoginCheckServlet)
> LoginCheckServlet
>
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
> ...
> String userName = request.getParameter("j_username");
> String password = request.getParameter("j_password");
> HttpSession session = request.getSession();
>
> UserRecord user=... //load data from db
> if
> (user.checkCorrectPassword(password,session.getServletContext())) {
> CredentialHandler
> cr=Security.getCredentialHandler(getServletContext());
> System.out.println(cr.mutate(password));//
> hoping to see my password displayed as pbkdf2 hash
>
> .....
> }
>
> Security.getCredentialHandler
>
> public static CredentialHandler getCredentialHandler(final
> ServletContext context) {
> System.out.println("context"+context) ;// prints
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
> System.out.println("context vs"+context.getMajorVersion()); //
> prints 4
>
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
> prints ATRIB null
> return (CredentialHandler)
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
> }
Your code and configuration looks reasonable to me.
> So basically it always return null when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:
"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"
There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
