Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to use LockOutRealm and restricts to store plain-text passwords. Therefore, the ultimate solution in my case would be the following:
> <Realm className="org.apache.catalina.realm.LockOutRealm"> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"> > <CredentialHandler > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="100000" > keyLength="256" > saltLength="16" > /> > </Realm> > </Realm> But that doesn't work, because LockOutRealm ignores any credential handler. Additionally, with my used Tomcat 10, I'm unable to set any "digest" attribute on the realm itself anymore as well. The only way to fulfill both requirements is to implement a custom realm. > Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm > setCredentialHandler > WARNUNG: A CredentialHandler was set on an instance of the > CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm > doesn't use a configured CredentialHandler. Is this a configuration > error? https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23 https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466 https://tomcat.apache.org/tomcat-9.0-doc/changelog.html https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm So, what's the reason of not supporting credential handlers for LockOutRealm? Doesn't make too much sense to me, especially as most docs I came across use LockOutRealm in combination with some other realm and there's no docs that a fundamental concept like credential helpers won't work at all in this setup. Additionally, when researching about that task, some people even claim that the above XML config works, but it simply can't. I don't see any code in LockOutRealm to ask other realms about their credential handlers. I've had a look at the bugtracker already and couldn't find this topic discussed or a reason for the implementation. OTOH, someone did add some code to explicitly log a warning message instead of fixing the underlying problem. Is the problem really to decide which of the child realms to choose for its credential handler to use? In the easiest case simply use the first credential handler found with a depth-first search, that should work for the majority of use-cases. Other aspects of the config like default assumed nesting level of realms and stuff seem hard-coded as well. Would be glad to read some thoughts, as I need to decide how to deal with this limitation right now. Thanks! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web: http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
