You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jo...@wellsfargo.com.INVALID on 2021/08/24 16:28:59 UTC
UserDatabaseRealm and DIGEST
Ok, so I've been reading thru the documentation on DIGEST but not entirely sure I have it right. What is the best practice for DIGEST and what algorithms are allowed, such as is sha-256 allowed?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: UserDatabaseRealm and DIGEST
Posted by jo...@wellsfargo.com.INVALID.
Thank you Chris!
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, August 26, 2021 1:49 PM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
>
> Jon,
>
> On 8/24/21 19:51, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Chris,
> >
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Tuesday, August 24, 2021 5:52 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: UserDatabaseRealm and DIGEST
> >>
> >> Jon,
> >>
> >> On 8/24/21 12:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>> -----Original Message-----
> >>>> From: Mark Thomas <ma...@apache.org>
> >>>> Sent: Tuesday, August 24, 2021 11:41 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: UserDatabaseRealm and DIGEST
> >>>>
> >>>> On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>>>> Ok, so I've been reading thru the documentation on DIGEST but not
> >>>> entirely sure I have it right. What is the best practice for DIGEST
> >>>> and what algorithms are allowed, such as is sha-256 allowed?
> >>>>
> >>>> First, a question of clarification.
> >>>>
> >>>> Do you mean HTTP DIGEST authentication or do you mean storing
> >>>> password hashes rather than the actual passwords in the
> >> UserDatabaseRealm?
> >>>>
> >>>> Mark >
> >>> I mean the Password Hashes rather than the actual password for the
> >> UserDatabaseRealm.
> >>
> >> You can use any algorithm that Java's MessageDigest supports.
> >>
> >> I would recommend against using "Digest" credential storage and
> >> instead use something more secure such as PBKDF2, which Tomcat also
> supports.
> >>
> >> You might find this informative:
> >>
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.h
> >> tm
> >> l*latest-credential-
> >>
> security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
> >> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > In this case I am wanting to know the proper way to use DIGEST as we have
> some folks with vendor applications that Use Tomcat that insist on using the
> UserDatabaseRealm. I agree that using LDAP or something other is the better
> way to go. We typically do NOT allow the use of the UserDatabaseRealm
> unless the passwords are hashed with DIGEST. I just want to make sure that
> when we check for compliance, we are approving the various means.
>
> You can use any of those credential handlers with the UserDatabaseRealm.
> For example PBKDF2 is perfectly usable. You just need to get user
> passwords, run them through PBKDF2, and copy/paste them into tomcat-
> users.xml (or wherever you have them).
>
> There is a "digest.sh" script that comes with your Tomcat distribution.
> Run it and you'll see the options. You can ask that to generate a stored-
> credential for any plaintext password you want to use, and it should work
> with a similarly-configured UserDatabaseRealm (and child
> CredentialHandler).
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: UserDatabaseRealm and DIGEST
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 8/24/21 19:51, jonmcalexander@wellsfargo.com.INVALID wrote:
> Chris,
>
>> -----Original Message-----
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Sent: Tuesday, August 24, 2021 5:52 PM
>> To: users@tomcat.apache.org
>> Subject: Re: UserDatabaseRealm and DIGEST
>>
>> Jon,
>>
>> On 8/24/21 12:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>> -----Original Message-----
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Sent: Tuesday, August 24, 2021 11:41 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: UserDatabaseRealm and DIGEST
>>>>
>>>> On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
>>>>> Ok, so I've been reading thru the documentation on DIGEST but not
>>>> entirely sure I have it right. What is the best practice for DIGEST
>>>> and what algorithms are allowed, such as is sha-256 allowed?
>>>>
>>>> First, a question of clarification.
>>>>
>>>> Do you mean HTTP DIGEST authentication or do you mean storing
>>>> password hashes rather than the actual passwords in the
>> UserDatabaseRealm?
>>>>
>>>> Mark >
>>> I mean the Password Hashes rather than the actual password for the
>> UserDatabaseRealm.
>>
>> You can use any algorithm that Java's MessageDigest supports.
>>
>> I would recommend against using "Digest" credential storage and instead use
>> something more secure such as PBKDF2, which Tomcat also supports.
>>
>> You might find this informative:
>> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
>> l*latest-credential-
>> security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
>> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> In this case I am wanting to know the proper way to use DIGEST as we have some folks with vendor applications that Use Tomcat that insist on using the UserDatabaseRealm. I agree that using LDAP or something other is the better way to go. We typically do NOT allow the use of the UserDatabaseRealm unless the passwords are hashed with DIGEST. I just want to make sure that when we check for compliance, we are approving the various means.
You can use any of those credential handlers with the UserDatabaseRealm.
For example PBKDF2 is perfectly usable. You just need to get user
passwords, run them through PBKDF2, and copy/paste them into
tomcat-users.xml (or wherever you have them).
There is a "digest.sh" script that comes with your Tomcat distribution.
Run it and you'll see the options. You can ask that to generate a
stored-credential for any plaintext password you want to use, and it
should work with a similarly-configured UserDatabaseRealm (and child
CredentialHandler).
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: UserDatabaseRealm and DIGEST
Posted by jo...@wellsfargo.com.INVALID.
Chris,
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Tuesday, August 24, 2021 5:52 PM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
>
> Jon,
>
> On 8/24/21 12:53, jonmcalexander@wellsfargo.com.INVALID wrote:
> >> -----Original Message-----
> >> From: Mark Thomas <ma...@apache.org>
> >> Sent: Tuesday, August 24, 2021 11:41 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: UserDatabaseRealm and DIGEST
> >>
> >> On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
> >>> Ok, so I've been reading thru the documentation on DIGEST but not
> >> entirely sure I have it right. What is the best practice for DIGEST
> >> and what algorithms are allowed, such as is sha-256 allowed?
> >>
> >> First, a question of clarification.
> >>
> >> Do you mean HTTP DIGEST authentication or do you mean storing
> >> password hashes rather than the actual passwords in the
> UserDatabaseRealm?
> >>
> >> Mark >
> > I mean the Password Hashes rather than the actual password for the
> UserDatabaseRealm.
>
> You can use any algorithm that Java's MessageDigest supports.
>
> I would recommend against using "Digest" credential storage and instead use
> something more secure such as PBKDF2, which Tomcat also supports.
>
> You might find this informative:
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
> l*latest-credential-
> security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
In this case I am wanting to know the proper way to use DIGEST as we have some folks with vendor applications that Use Tomcat that insist on using the UserDatabaseRealm. I agree that using LDAP or something other is the better way to go. We typically do NOT allow the use of the UserDatabaseRealm unless the passwords are hashed with DIGEST. I just want to make sure that when we check for compliance, we are approving the various means.
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Re: UserDatabaseRealm and DIGEST
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 8/24/21 12:53, jonmcalexander@wellsfargo.com.INVALID wrote:
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Tuesday, August 24, 2021 11:41 AM
>> To: users@tomcat.apache.org
>> Subject: Re: UserDatabaseRealm and DIGEST
>>
>> On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
>>> Ok, so I've been reading thru the documentation on DIGEST but not
>> entirely sure I have it right. What is the best practice for DIGEST and what
>> algorithms are allowed, such as is sha-256 allowed?
>>
>> First, a question of clarification.
>>
>> Do you mean HTTP DIGEST authentication or do you mean storing password
>> hashes rather than the actual passwords in the UserDatabaseRealm?
>>
>> Mark >
> I mean the Password Hashes rather than the actual password for the UserDatabaseRealm.
You can use any algorithm that Java's MessageDigest supports.
I would recommend against using "Digest" credential storage and instead
use something more secure such as PBKDF2, which Tomcat also supports.
You might find this informative:
https://tomcat.apache.org/presentations.html#latest-credential-security
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: UserDatabaseRealm and DIGEST
Posted by jo...@wellsfargo.com.INVALID.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Tuesday, August 24, 2021 11:41 AM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
>
> On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Ok, so I've been reading thru the documentation on DIGEST but not
> entirely sure I have it right. What is the best practice for DIGEST and what
> algorithms are allowed, such as is sha-256 allowed?
>
> First, a question of clarification.
>
> Do you mean HTTP DIGEST authentication or do you mean storing password
> hashes rather than the actual passwords in the UserDatabaseRealm?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
I mean the Password Hashes rather than the actual password for the UserDatabaseRealm.
Thank you,
Jon McAlexander
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: UserDatabaseRealm and DIGEST
Posted by Mark Thomas <ma...@apache.org>.
On 24/08/2021 17:28, jonmcalexander@wellsfargo.com.INVALID wrote:
> Ok, so I've been reading thru the documentation on DIGEST but not entirely sure I have it right. What is the best practice for DIGEST and what algorithms are allowed, such as is sha-256 allowed?
First, a question of clarification.
Do you mean HTTP DIGEST authentication or do you mean storing password
hashes rather than the actual passwords in the UserDatabaseRealm?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org