Re: UserDatabaseRealm and DIGEST

[Christopher Schultz]

Jon,

On 8/24/21 19:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
Chris,
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, August 24, 2021 5:52 PM
To: users@tomcat.apache.org
Subject: Re: UserDatabaseRealm and DIGEST

Jon,

On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, August 24, 2021 11:41 AM
To: users@tomcat.apache.org
Subject: Re: UserDatabaseRealm and DIGEST

On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
Ok, so I've been reading thru the documentation on DIGEST but not
entirely sure I have it right. What is the best practice for DIGEST
and what algorithms are allowed, such as is sha-256 allowed?

First, a question of clarification.

Do you mean HTTP DIGEST authentication or do you mean storing
password hashes rather than the actual passwords in the
UserDatabaseRealm?

Mark >
I mean the Password Hashes rather than the actual password for the
UserDatabaseRealm.

You can use any algorithm that Java's MessageDigest supports.

I would recommend against using "Digest" credential storage and instead use
something more secure such as PBKDF2, which Tomcat also supports.

You might find this informative:
https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
l*latest-credential-
security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

In this case I am wanting to know the proper way to use DIGEST as we have some 
folks with vendor applications that Use Tomcat that insist on using the 
UserDatabaseRealm. I agree that using LDAP or something other is the better way 
to go. We typically do NOT allow the use of the UserDatabaseRealm unless the 
passwords are hashed with DIGEST. I just want to make sure that when we check 
for compliance, we are approving the various means.

You can use any of those credential handlers with the UserDatabaseRealm. 
For example PBKDF2 is perfectly usable. You just need to get user 
passwords, run them through PBKDF2, and copy/paste them into 
tomcat-users.xml (or wherever you have them).

There is a "digest.sh" script that comes with your Tomcat distribution. 
Run it and you'll see the options. You can ask that to generate a 
stored-credential for any plaintext password you want to use, and it 
should work with a similarly-configured UserDatabaseRealm (and child 
CredentialHandler).

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org