Accessing Credential handler inside the web application always returns null

Sun, 29 Oct 2023 17:46:15 -0700 

Hi everyone!I'm trying to test CredentialHandeler functionality on    our test 
server (Tomcat 9.0.64) inside the web-app
I Our realm is defined as follows( excerpt from server.xml
)
    <Realm className="org.apache.catalina.realm.DataSourceRealm" 
dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
userTable="educ.ad_Users">
   <CredentialHandler 
className="org.apache.catalina.realm.NestedCredentialHandler">
<CredentialHandler  
className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
 <CredentialHandler 
className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
algorithm="MD5" />
 </CredentialHandler>
   </Realm>
Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic  
login  controller code  (LoginCheckServlet)
LoginCheckServlet

      protected void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
...
      String userName = request.getParameter("j_username");
            String password = request.getParameter("j_password");
      HttpSession session = request.getSession();
            
                  UserRecord user=... //load data from db
                        if 
(user.checkCorrectPassword(password,session.getServletContext())) {
                              CredentialHandler 
cr=Security.getCredentialHandler(getServletContext());
                              System.out.println(cr.mutate(password));// hoping 
to see my password displayed as pbkdf2 hash

.....
}

Security.getCredentialHandler

      public static CredentialHandler getCredentialHandler(final ServletContext 
context) {
            System.out.println("context"+context) ;// prints 
contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
            System.out.println("context vs"+context.getMajorVersion()); // 
prints 4
            
System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
  prints ATRIB null
            return (CredentialHandler) 
context.getAttribute(Globals.CREDENTIAL_HANDLER);
            }

UserRecord class

      public boolean checkCorrectPassword(String pwd,ServletContext ctx) {
            try {
                  System.out.println(ctx.getMajorVersion());
                  BigInteger bigInt = new BigInteger(1,passwordHash);   
                  CredentialHandler ch=Security.getCredentialHandler(ctx);
                        boolean result=(ch.matches(pwd, bigInt.toString(16)));
                  return result;
            }
            catch(Exception e) {
                  e.printStackTrace();
                  return false;
            }
      }


So basically it always  return null  when trying to access CredentialHandler 
attribute inside Security.getCredentialHandler method,Any idea why it might be 
the case ?

Reply via email to