Азат,
On 10/31/23 13:53, Усманов Азат Анварович wrote:
Hi everyone! CredentialHandler became not null, as soon as I
transferred Realm definition from server.xml to context.xml(after
checking the source code) .I've been able to see the new pbkdf2
version of the given clear text password even with old 9.0.64
version. I was wondering is the necessity to have realm defined
inside context. xml for accessing CredentialHandler a design decision
or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
documentation. Perhaps it should be added in the docs.
Hmm... it shouldn't matter if you define your <Realm> in server.xml or
in app/META-INF/context.xml. Are you sure that was the only difference
between working/not-working configurations?
Thanks,
-chris
________________________________
От: Усманов Азат Анварович <usma...@ieml.ru>
Отправлено: 30 октября 2023 г. 20:25
Кому: users@tomcat.apache.org <users@tomcat.apache.org>
Тема: RE: Accessing Credential handler inside the web application always
returns null
I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler
is still null
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List <users@tomcat.apache.org>; Усманов Азат Анварович
<usma...@ieml.ru>
Тема: Re: Accessing Credential handler inside the web application always
returns null
Азат,
On 10/29/23 20:45, Усманов Азат Анварович wrote:
Hi everyone!I'm trying to test CredentialHandeler functionality on our test
server (Tomcat 9.0.64) inside the web-app
I Our realm is defined as follows( excerpt from server.xml
)
<Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName"
userCredCol="PWD" userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users">
<CredentialHandler
className="org.apache.catalina.realm.NestedCredentialHandler">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" />
</CredentialHandler>
</Realm>
Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was
hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic
login controller code (LoginCheckServlet)
LoginCheckServlet
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
...
String userName = request.getParameter("j_username");
String password = request.getParameter("j_password");
HttpSession session = request.getSession();
UserRecord user=... //load data from db
if
(user.checkCorrectPassword(password,session.getServletContext())) {
CredentialHandler
cr=Security.getCredentialHandler(getServletContext());
System.out.println(cr.mutate(password));// hoping
to see my password displayed as pbkdf2 hash
.....
}
Security.getCredentialHandler
public static CredentialHandler getCredentialHandler(final ServletContext
context) {
System.out.println("context"+context) ;// prints
contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
System.out.println("context vs"+context.getMajorVersion()); //
prints 4
System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
prints ATRIB null
return (CredentialHandler)
context.getAttribute(Globals.CREDENTIAL_HANDLER);
}
Your code and configuration looks reasonable to me.
So basically it always return null when trying to access
CredentialHandler attribute inside Security.getCredentialHandler
method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:
"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"
There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
