Thorsten,
On 11/15/22 05:09, Thorsten Schöning wrote:
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark compliant and that requires to use
LockOutRealm and restricts to store plain-text passwords. Therefore,
the ultimate solution in my case would be the following:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
/>
</Realm>
</Realm>
But that doesn't work, because LockOutRealm ignores any credential
handler.
Does it?
Additionally, with my used Tomcat 10, I'm unable to set any
"digest" attribute on the realm itself anymore as well.
Forget about "digest". It's dead and for good reason.
The only way to fulfill both requirements is to implement a custom
realm.
That should not be true.
Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm
setCredentialHandler
WARNUNG: A CredentialHandler was set on an instance of the
CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm
doesn't use a configured CredentialHandler. Is this a configuration
error?
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm
So, what's the reason of not supporting credential handlers for
LockOutRealm?
They are supported.
Doesn't make too much sense to me, especially as most docs I came
across use LockOutRealm in combination with some other realm and
there's no docs that a fundamental concept like credential helpers
won't work at all in this setup. Additionally, when researching about
that task, some people even claim that the above XML config works, but
it simply can't.
?
I don't see any code in LockOutRealm to ask other
realms about their credential handlers.
Nor do you need any such code.
I've had a look at the bugtracker already and couldn't find this topic
discussed or a reason for the implementation. OTOH, someone did add
some code to explicitly log a warning message instead of fixing the
underlying problem.
I'm not sure there is an "underlying problem" that needs fixing.
Is the problem really to decide which of the child realms to choose
for its credential handler to use?
No.
In the easiest case simply use the
first credential handler found with a depth-first search, that should
work for the majority of use-cases.
No.
Other aspects of the config like
default assumed nesting level of realms and stuff seem hard-coded as
well.
Really? Like what?
Would be glad to read some thoughts, as I need to decide how to deal
with this limitation right now. Thanks!
What happens if you configure your realm like this:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
</Realm>
Are you able to login to your application? If not, get that working first.
Once that's working, try wrapping the above in:
<Realm className="org.apache.catalina.realm.LockOutRealm">
...
</Realm>
Rebuild, restart, and try logging-in again. Are you able to login? If
not, please let us know.
If you are able to login, then try logging-in a few times with the wrong
password. Are you locked out? (Do you know how to verify that?)
All of that should work.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
