tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Date Thu, 12 Mar 2015 19:53:17 GMT
Hash: SHA256


On 3/12/15 3:33 PM, rop wrote:
> Finally, found the issue.

Please bottom-post if you can. Also, please sign your posts.

> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <>
> wrote:
>> On 12/03/2015 15:51, rop wrote:
>>> Ah, I got it now. Thanks, David.
>>> Yes, the a-b-c-d points are OK then.
>>> As a trouble-shoot action, I actually did an install-and-test
>>> "binary search" among the intermediate tomcat-versions to
>>> pinpoint exactly which version breaks our app.
>>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49
>>> do not exist in the tomcat archive) And from 7.0.50 it breaks.
>>> So apparently, between 47 and 50 some change occurred that
>>> breaks our login....
>> Nothing jumps out at me in the change log. I'd add that FORM auth
>> is tested as part of every release so it isn't a general
>> problem.
>> In your shoes, I'd be firing up Eclipse and remote debugging my
>> way through the authentication process. Alternatively, try
>> creating the smallest/simplest possible WAR that exhibits the
>> problem.
> The crucial change was in the method
> RealmBase.compareCredentials(), which is new in 7.0.50 (the
> comparison was much simpler before that).

It is much more extensible, now.

> Dunno if we do something unusual here, but we just extend
> DataSourceRealm, like MyDataSourceRealm, and implement the
> message-digest for password-hashing in there, by simply overriding
> the digest() method.

Do you need to extend the whole realm, or did you just want to
override Tomcat's default password-hashing algorithm?

If you just want to tweak the hashing algorithm, you can write a
simpler class and not subclass DataSourceRealm. What does your Realm
do besides change the password-comparison algorithm?

> Before 7.0.50, this worked fine *without* explicitly setting the 
> DataSourceRealm.setDigest() property. It's always been null, and
> still worked.

This was because it defaulted to "MD5" and Tomcat always used
simplistic credential-hashing. It's much more sophisticated, now, and
also supports things like Bcrypt, Scrypt, PBKDF2, etc.

> But the new method RealmBase.compareCredentials() assumes: if you
> use messageDigest, this property MUST be set. (
> compareCredentials() calls hasMessageDigest() which did not happen
> in earlier versions. )
> So the solution was to simply add the property digest in <Realm
> digest="..." ...> which we didnt have there before. Then it works.

Great. But I think you can do better. If your Realm merely changes the
way hashing is done, please check-out the new features. You may be
able to a) eliminate your class altogether due to new features or b)
replace your Realm with a CredentialHandler that only does the
mutation and comparison of credentials.

We did this so you can use the same credential-mutations on *any*
realm, without having to subclass every Realm to do it.

Hope that helps,
- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message