Re: CredentialHandler tomcat 7

Mon, 23 Oct 2023 09:24:53 -0700 

Chuck,

On 10/22/23 13:55, Chuck Caldarale wrote:

On Oct 22, 2023, at 10:02, Усманов Азат Анварович <usma...@ieml.ru> wrote:

Hi everyone! I'm trying to use CredentialHandler with tomcat  to increase 
security since our db at $work still has pwd stored as md5 hashes. Some of our 
servers still use tomcat 7.092/ I was looking at this presentation by  
Christopher Shultz  
http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgrades%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf
  it mentions that Credention handler should be available to a web app in 
Tomcat 7.0.70+ But then I looked up source code for catalina.jar in 7.0.92 and 
7.0.109-src  I cant find class Named CredentialHandler.Am I looking at the 
wrong place or is it just not available in tomcat 7 ? Also tomcat docs for 7  
doesn't seem to mention CredentialHandler at all..




Looks like the CredentialHandler mechanism was introduced in 8.0.15 (November 
2014), with no indication that it would ever be retrofitted to any 7.0.x 
version. (The footnote on slide 30 of the cited presentation appears to be in 
error.)
Yeah, I have no idea where I got the 7.0.70 version number from. Maybe I guessed it while drafting and never confirmed it. Sorry, 
Азат, it looks like I got that one wrong.


Given that Tomcat 7.0 has not been supported for over two years and numerous 
issues have been addressed in the intervening time period, it might be time to 
upgrade…


+1
At this point, 7.0 is essentially 2 versions back form the currently-supported version of Tomcat (8.5.x) which itself is scheduled to be retired at the end of this coming March -- a mere 5 months from now.
I don't see any appetite for anybody -- myself included -- working on a back-port for this to Tomcat 7.
I would encourage you to upgrade to Tomcat 9. I suspect you'll find that your application runs with very few if any issues if you just upgrade in a development environment and run a test. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to