On 19/04/2020 06:59, Brian Burch wrote:
> On 17/4/20 10:28 pm, Mark Thomas wrote:
>> On 16/04/2020 09:56, Brian Burch wrote:
>>> On 15/4/20 6:24 am, Mark Thomas wrote:
>>
>> <snip/>
>>
>>>> I'd expect you to see an error message if your server.xml isn't quite
>>>> right although that is what this looks like.
>>>
>>> There was no error message. I think my xml was syntax-free, but it did
>>> not reflect my intent.
>>
>> Can you provide before and after extracts from server.xml. I'm not 100%
>> what your non-working configuration looked like. I'll see if we can do
>> anything to highlight the configuration issue.
> <snip/>
>
> My Realm definitions are always nested inside the https Connector and
> its Engine definition.
>
> Here is the definitions of the two Realms for tc 7.0.52, which
> successfully authenticated the browser-supplied cleartext passwords
> against the SHA hashes from my LDAP server.
>
> <Realm className="org.apache.catalina.realm.LockOutRealm"
> cacheSize="1000"
> failureCount="4"
> lockOutTime="1200"
> cacheRemovalWarningTime="86400" >
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="uid=tomcatAuthenticate,ou=Special
> Users,o=pingtoo.com"
> connectionPassword="<redacted>"
> connectionURL="ldap://ldap.pingtoo.com:10389";
> userBase="ou=people,o=pingtoo.com"
> userSubtree="false"
> userSearch="(uid={0})"
> userRoleName="tomcatRole"
> userPassword="userPassword"
> digest="SHA" />
> </Realm>
>
> The JNDIRealm is nested properly inside the LockoutRealm.
>
> This server.xml could not authenticate users under tomcat 8.54,
> presumably because the Realm algorithm parameter had been deprecated.
If I take that and copy it to 8.5.54 (with a dummy password) the very
first line of the log file is:
20-Apr-2020 21:03:48.770 WARNING [main]
org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property
'digest' to 'SHA' did not find a matching property.
I then patched 8.5.x so the JNDIRealm didn't complain when it couldn't
open a connection to an LDAP server (that was quicker than setting up an
LDAP server) to test your next configuration.
> ------------------------------------------------------------
>
> The following Realm definition caused JNDIRealm to call
> MessageDigestCredentialHandler.matches, which called its own
> getAlgorithm method, which returned null (not SHA-1).
>
> <Realm className="org.apache.catalina.realm.LockOutRealm"
> cacheSize="1000"
> failureCount="4"
> lockOutTime="1200"
> cacheRemovalWarningTime="86400" >
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="uid=tomcatAuthenticate,ou=Special
> Users,o=pingtoo.com"
> connectionPassword="<redacted>"
> connectionURL="ldap://ldap.pingtoo.com:10389";
> userBase="ou=people,o=pingtoo.com"
> userSubtree="false"
> userSearch="(uid={0})"
> userRoleName="tomcatRole"
> userPassword="userPassword" />
> <CredentialHandler
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="MD5" />
> </Realm>
>
> My mistake was to Nest JNDIRealm properly, but code it as
> self-terminating. I guess the CredentialHandler was associated with the
> LockoutRealm, rather than the JNDIRealm.
Ah. Got it. You are right about what is happening.
I think we can add a warning for this case as a CredentialHandler set on
CombinedRealm will never be used. The other option would be to try and
look for a CredentialHandler on the parent Realm if the current Realm
doesn't have one but that will get really messy, really quickly with the
combination of nested Realms, nested CredentialHandlers and trying to
distinguish between a Realm that should inherit a CredentialHandler from
a parent and a Realm that deliberately does not have a CredentialHandler
(when the parent does).
> ------------------------------------------------------------------
>
> Just to finish the story, here's the properly nested version which works
> with SHA-1 and LDAP password hashes prefixed with {SHA}.
>
> <Realm className="org.apache.catalina.realm.LockOutRealm"
> cacheSize="1000"
> failureCount="4"
> lockOutTime="1200"
> cacheRemovalWarningTime="86400" >
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="uid=tomcatAuthenticate,ou=Special
> Users,o=pingtoo.com"
> connectionPassword="<redacted>"
> connectionURL="ldap://ldap.pingtoo.com:10389";
> userBase="ou=people,o=pingtoo.com"
> userSubtree="false"
> userSearch="(uid={0})"
> userRoleName="tomcatRole"
> userPassword="userPassword" >
>
> <CredentialHandler
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="SHA-1" />
> </Realm>
> </Realm>
Yep, that looks better.
> Thanks for your help getting me this far!
You are welcome.
> I will reply to the later points in your last post in subsequent emails.
Thanks. No rush.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
