tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Tomcat JDBCRealm using DIGEST authentication not producing the expected HASH using a SALT
Date Thu, 02 Jul 2020 18:43:24 GMT
On 02/07/2020 17:38, Hugh Roberts wrote:
> Tomcat 9.0.36
> JDK 1.8.0_251
> We are trying to use Tomcat JDBCRealm to access user credentials stored in
> Oracle DB. The user password is hashed with a SALT and stored in a table.
> *ISSUE:* We can authenticate using the BASIC auth-method while passing the
> hashed string of the password but the DIGEST auth-method fails to create
> the matching hash of the user password after configuring the realm-name
> with the SALT and using the CredentialHandler
> MessageDigestCredentialHandler.
> The user HASH password is created using Oracle DBMS_CRYPTO by taking the
> SALT combined with the password to create a raw string that is then HASHED
> Using Tomcat DIGEST command, we can successfully create the user's matching
> HASH on the command line as follows: *digest.bat -a SHA-1 -s 0
>  SALTpassword*
> *SALTpassword:86a0e40af8c1a0e970f9432bee75bcc886145440* (the other formats
> for using the SALT does not produce a matching HASH -
> UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat
> authentication form in the browser. The password hash is not matching. We
> cannot tell how the form is using the SALT to hash the password to see
> where the issue is.
> Can you tell us exactly how Tomcat authentication form uses the SALT
> configured in the web.xml file to create the password hash. If it hashes
> the SALT and password as one string or uses another method?

That will never work with HTTP DIGEST authentication. As per the Realm

CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {cleartext-password}
If using digested passwords with DIGEST authentication, the cleartext
used to generate the digest is different and the digest must use one
iteration of the MD5 algorithm with no salt. In the examples above
{cleartext-password} must be replaced with

More details at

Note: Using DIGEST authentication is a separate decision to storing
password hashes in the authentication database although if you do choose
to do both then DIGEST auth places strict requirements on how you store
the hashed passwords.

If you want hashed passwords in the database then you'll need to:
- User BASIC auth
- Configure the CredentialHandler to match database (assuming this is
- Require TLS for authentication


> server.xml
> ...
> <Realm className="org.apache.catalina.realm.JDBCRealm"
> driverName="oracle.jdbc.driver.OracleDriver"
> connectionURL="jdbc:oracle:thin:@x.x.x.x:1521/test"
> connectionName="dev"
> connectionPassword="dev1"
> userTable="USERS" userNameCol="USERNAME" userCredCol="PASSWORD"
> userRoleTable="USER_ROLES" roleNameCol="ROLES" >
> <CredentialHandler
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="SHA-1" saltLength="0" iterations="1" />
> </Realm>
> web.xml
>  ...
> <login-config
>     <auth-method>DIGEST</auth-method>
>     <realm-name>SALT</realm-name>
> </login-config
> ...
> Thanks.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message