tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yuval Schwartz <yuval.schwa...@gmail.com>
Subject Fwd: Fwd:
Date Thu, 21 May 2015 18:39:29 GMT
Hello,

I have some follow-up questions to Chris' response below (in blue).

On Wed, May 20, 2015 at 5:53 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Yuval,
>
> On 5/20/15 9:34 AM, Yuval Schwartz wrote:
> > I believe I am running tomcat 8.0 (although when I call the
> > getServerInfo() method of the implicit ServletContext Object It
> > tells me that I am running on 7.54)
>
> Then you are not running Tomcat 8.0.x.
>
> > I configured my realm element in my context.xml file as follows
> > (based on the howto guide:
> > https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html):
>
> If you are running Tomcat 7, the Tomcat 8 users guide may give you bad
> guidance. If you are intending to run Tomcat 8, you might want to get
> that fixed, first.
>

You are correct, I was running Tomcat 7, which doesn't use the same syntax
for digesting from the command prompt (I think it doesn't have the options
for salt, iterations, etc.). So I updated to tomcat 8.


>
> > <Realm className="org.apache.catalina.realm.DataSourceRealm"
> > debug="99"
>
> The "debug" attribute hasn't been supported for something like 10 years.
>
> > dataSourceName="jdbc/board" localDataSource="true"
> > userTable="test_user" userNameCol="Email"
> > userCredCol="HashedPassword" userRoleTable="test_user_role"
> > roleNameCol="Role">
> >
> > <CredentialHandler className="MessageDigestCredentialHandler"
> > algorithm="SHA-1" iterations="1000" saltLength="48"/>
>
> Oh, good: someone is using the CredentialHandler to improve their
> security. You might want to:
>
> 1. Switch to a larger hash, like SHA-256
> 2. Find out how much time it takes to do 1000 SHA-1 (or SHA-256)
> hashes on your server. You want the hashing to take more than a
> trivial amount of time. Our services currently use more than 10k
> iterations of SHA-256. This makes brute-forcing our password database
> very time consuming for an attacker, if they were to capture the
> database itself.
>
> > </Realm>
> >
> >
> > However, despite the password being stored in the format described
> > in your "how to" manual (ie:{salt}${iterations}${password}),
> > authentication fails. I assume that this is because something in my
> > <Realm> configuration is wrong.
>
> Tomcat can generate a hash for you from the command-line:
>
> $ ./bin/digest.sh -a SHA-256 -i 1000 -s 48 'test'
> test:04d9deb5f6f1f206c7139a28806e7ebde8f444018e0191168f8d00291d6e8719cd2
> 5cc82eca073f9a925c005aadf238b$1000$22cb9257949205ffbff01088b46137cf768dc
> 67a0faca26f48269ca9250d4d9b
>
> Let's take-apart that credential to see what's in there:
>
> hash:
>

Don't you mean "salt" above, instead of "hash:"?


> 04d9deb5 f6f1f206
> c7139a28 806e7ebd
> e8f44401 8e019116
> 8f8d0029 1d6e8719
> cd25cc82 eca073f9
> a925c005 aadf238b
>
> That's 48 bytes (96 characters) of data.
>
> iteration count: 1000 (easy)
>
> fingerprint:
> 22cb9257 949205ff
> bff01088 b46137cf
> 768dc67a 0faca26f
> 48269ca9 250d4d9b
>
> That's 32 bytes (64 characters) of data. SHA-1 produces 32-byte
>

I think you mean "SHA-256" here, right?


> output, so this looks good on the face of it.
>

Yes, it looks correct.
My issue is that I would like to run this "digest" from a servlet. How
would I do that?
I need to run it from a servlet because I need to enter it into my database
(in the format {salt}${iterations}${passowrd}).


>
> > I was not able to find an answer on online help forums. I also
> > couldn't find a way to call the initialized DataSourceRealm
> > Object's digest method when inputting the HashedPassword (ie: I had
> > to calculate salt and hash on my own using the SHA-1 algorithm).
> > Perhaps this also has something to do with why authentication is
> > failing?
>
> You probably weren't following the algorithm the same way. For
> example, the 1000 iterations is done like this:
>
> cred = password
> do 1000 times:
>   cred = hash ( salt + cred )
>
> You probably forgot to salt the credential for each of the iterations.
>

Should I even be doing it this way? This relates to my previous comment: Is
there no way to call the same digest function that we ran from the command
line, in a servlet?
Indeed there is a digest method as part of the RealmBase API, I just don't
know how to get an instance of the RealmBase Object from the servlet.


>
> Take a look at the RealmBase class to see how the stored credential
> should be generated initially.
>
>
I looked at the RealmBase class:

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.html

I couldn't find where it mentions how to initially generate the stored
credential. Could you give me a little more direction as to where I should
look?

Thanks a lot again.


> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVXJ/UAAoJEBzwKT+lPKRYHZUQAKWVQoUhMr1QhBLBPmypX6By
> vQob26NzVU5h9C14CdiTuTJS1uc664yvgZHGkW3xfIKGlRmH0Kez/fuwO7ral1LX
> 4NWtkX1x2sRVTXZ5ZrEIcM9ofXrELqHCQmS3Jq7Y2VaXvAEvSNvsuY5kSh6+T8/w
> xEGyd509BU/QssidcQHGSjupxzlwbDngaWps2M4MW5JHfYBGzylNVw4tBpLwBEWm
> halR3EdHnIc/ReDCzelS9wH96onOAgMsnioh0ib/sC//5KVM6Mo1wh5IdTmQTcTp
> YF2Wj8QVMj8xaOrGMBqnEoimtY069QEJvaVeltmb0qle/ixKs7qbnrFUcR8Gpju3
> ytf1JEUSi29Pw+ct5GL7HPN66P1Y0OfevFLlcB4UUALfceaKrI41/yQBpr8fp7U6
> tMQ6fp6k11z92e2+MVgYosi2czpsRwJJO91GY85Ai2YlB8fLbQ9j3dv4Qzh1rl5m
> pF9B6G1zYLkXSEXk4ugEmHptTvDibPD9BSChnttZPUsLJN2oZfGBjZ2yEeKNpk4P
> 4xim6CiSfVFT6YNnKYmClzDOk4V+Lpo5uTLSHsd/GdueiSOoQXJmgRpoV7/uacWq
> J1QSUsyneNPVdrLosfTiidpgYCtTOKZSZ8OEdCiZV09m0JNnRcEoje3nNGYXlUg3
> 1EyyDLzlNZyDqRTYl+gJ
> =N8j2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message