tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Date Thu, 12 Mar 2015 19:53:17 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rop,

On 3/12/15 3:33 PM, rop wrote:
> Finally, found the issue.

Please bottom-post if you can. Also, please sign your posts.

> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <markt@apache.org>
> wrote:
> 
>> On 12/03/2015 15:51, rop wrote:
>>> Ah, I got it now. Thanks, David.
>>> 
>>> Yes, the a-b-c-d points are OK then.
>>> 
>>> As a trouble-shoot action, I actually did an install-and-test
>>> "binary search" among the intermediate tomcat-versions to
>>> pinpoint exactly which version breaks our app.
>>> 
>>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49
>>> do not exist in the tomcat archive) And from 7.0.50 it breaks.
>>> 
>>> So apparently, between 47 and 50 some change occurred that
>>> breaks our login....
>> 
>> Nothing jumps out at me in the change log. I'd add that FORM auth
>> is tested as part of every release so it isn't a general
>> problem.
>> 
>> In your shoes, I'd be firing up Eclipse and remote debugging my
>> way through the authentication process. Alternatively, try
>> creating the smallest/simplest possible WAR that exhibits the
>> problem.
> 
> The crucial change was in the method
> RealmBase.compareCredentials(), which is new in 7.0.50 (the
> comparison was much simpler before that).

It is much more extensible, now.

> Dunno if we do something unusual here, but we just extend
> DataSourceRealm, like MyDataSourceRealm, and implement the
> message-digest for password-hashing in there, by simply overriding
> the digest() method.

Do you need to extend the whole realm, or did you just want to
override Tomcat's default password-hashing algorithm?

If you just want to tweak the hashing algorithm, you can write a
simpler class and not subclass DataSourceRealm. What does your Realm
do besides change the password-comparison algorithm?

> Before 7.0.50, this worked fine *without* explicitly setting the 
> DataSourceRealm.setDigest() property. It's always been null, and
> still worked.

This was because it defaulted to "MD5" and Tomcat always used
simplistic credential-hashing. It's much more sophisticated, now, and
also supports things like Bcrypt, Scrypt, PBKDF2, etc.

> But the new method RealmBase.compareCredentials() assumes: if you
> use messageDigest, this property MUST be set. (
> compareCredentials() calls hasMessageDigest() which did not happen
> in earlier versions. )
> 
> So the solution was to simply add the property digest in <Realm
> digest="..." ...> which we didnt have there before. Then it works.

Great. But I think you can do better. If your Realm merely changes the
way hashing is done, please check-out the new features. You may be
able to a) eliminate your class altogether due to new features or b)
replace your Realm with a CredentialHandler that only does the
mutation and comparison of credentials.

We did this so you can use the same credential-mutations on *any*
realm, without having to subclass every Realm to do it.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR
CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx
5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr
H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ
KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok
y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1
8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P
hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ
FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ
cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY
TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov
xkQ8CoV6X9Oq0TlV3PXi
=Y/0T
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message