tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Class cast exception when starting tomcat 7.0.1
Date Thu, 13 Jun 2013 21:05:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chuck,

On 6/13/13 4:40 PM, Caldarale, Charles R wrote:
>> From: Jane Muse [mailto:JMuse@rocketsoftware.com] Subject: RE:
>> Class cast exception when starting tomcat 7.0.1
> 
>> I had catalina.jar in WEB-INF/lib.
> 
> Very, very bad move.
> 
>> It's needed because we have an implementation of Realm to store
>> an encrypted tomcat password users enter in the webapp.
> 
> Your custom implementation of Realm should be in Tomcat's lib
> directory, not the webapp's.  See: 
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#What_is_a_Realm?
>
>  Such a Realm should not be tied into the operation of any webapp,
> other than configuring the webapp to use it.
> 
>> If I remove it and add the catalina.jar from tomcat_home/lib to
>> the classpath
> 
> Not sure what you mean by adding it to the classpath; please
> explain.
> 
>> I have to change the signature from 
>> org.apache.catalina.realm.RealmBase.Digest(String, String) to 
>> org.apache.catalina.realm.RealmBase.Digest(String, String,
>> String).
> 
> That's because internal Tomcat APIs often change between levels.
> You certainly cannot count on using an older version of Realm with
> a newer Tomcat (or vice versa).
> 
>> Should I not be writing code that needs classes from
>> catalina.jar?
> 
> It would certainly be desirable not to be dependent on internal
> Tomcat classes.  Why do you think a Realm should be storing a
> password (encrypted or not) anywhere?  A Realm would normally be
> reading a password from some controlled storage, not writing to
> it.

+1

I'm interested in what the custom realm does. Tomcat's realms all
support simple hashing via MessageDigest (i.e. no salting, iteration,
password-hashing algorithms, etc.) which is often enough for most
people (yet I'm not one of them).

If you are symmetrically-encrypting your passwords, you are setting
yourself up for security problems.

If you want to implement something more elaborate (say, you want to
implement bcrypt password-hashing instead of MD5), then you'll have to
do it yourself. I've been threatening to write-up some patches to
allow pluggable password-mangling algorithms into Tomcat Realms, but I
have not bothered to do so, yet. If there was more interest in such
things, I might be persuaded to be a little more diligent.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRujQTAAoJEBzwKT+lPKRYwcMP/1u6A4gaWA+NpKs1UgpA8Gr/
qvYqcMt2sjRMPsHEd0uGcxa/SThGJHU351myfMNW4VLfvxV2/++nbnJUlILV3vNS
3h7N6LZrBjAc4CC4u5Xx3MMH4cIY1/jSK0Apnp0inN/zQXTOIT12IRQAT/TNRppS
xxjxcIseZiiIkcsrDx4RS57EjXPNS0abEknCCWfpdldu3KTiZemXu0Loq4jZYXNv
WGit1orL4MFNPEP1CYl5bxaEMfHd4QpSDLY7DG+OQn/AD+xsNuhNwuTc7QI40aLu
9xAN+ebZL1Qo/WmvVQYyMEdPvP8Xc8xSi9uuaaBSnI05I5+tCkSHaZUJZ/JxJrNk
wpAxaIxVHC3YQS/PDsLowY2+MIMXCDnZWi/QOg1TiDypLn5bEGNnJWDUa9L8suYc
hyMCGAh93eFIbkb/wB4hHNHp2Lzqbg31YVWvY53wEGUL1WRkvVzVTlQjQ8pR1cUz
8UyVOD1nG21KnwgelCgJKf4FWNtyxvah+52lTSP+HDieAt/+mLY4Z6PH5AUEte+2
QvaO6wfcfSfERA8vIy43XWRQXuciWmRtQypdmHeZQ4KI5ajRteyUKLIu2P1wahmT
W+6VyVvDm+k7DW9p7l0XodX/ivw+XChmCm5EXZbDqrhkyelX22lv5jSxn4ROzkUg
HePguW0/PF6NNBb5BFg0
=Jhko
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message