You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Glenn McCall <gl...@gtajb.com> on 2007/08/27 13:07:04 UTC
digest ignored in Data source realm
I have a problem where the digest element is seemingly being ignored when I move my web app from development to production. The application uses form based security and works just fine in development.
Here are the details.
Dev - tomcat 5.5.17 in Netbeans 5.5.1
Prod - tomcat 5.5.15 - this is the only difference I can see at this point. But there doesn't seem to be anything in changelogs indicating a problem relating to digested passwords being fixed.
Here is my context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/TDAssetRegister">
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/TeraJDBC"
digest="SHA"
localDataSource="true"
roleNameCol="Role_ID"
userCredCol="User_Pwd"
userNameCol="User_ID"
userRoleTable="user_roles"
userTable="valid_users"/>
<Resource name="jdbc/TeraJDBC" auth="Container" type="javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="assetRegister" password="pass" driverClassName="com.ncr.teradata.TeraDriver"
url="jdbc:teradata://dbc/database=AssetRegisterDB"/>
</Context>
As mentioned this works in dev. I've tried messing with the case of the digest element and value (e.g. sha, Sha, SHA etc) and also tried MD5. I've also tried placing the digest in different parts of the Realm.
So how do I know it is being ignored as opposed to simply not working? I tried pasting a SHA digested password into the password field and succesfully logged in. Then I tried changing the content of my valid_users table so that the password was simply set to "pass" then entered "pass" as my password - lo and behold, succesful login.
The production system 5.5.15 is a default implementation. The one exception is a change to process *.jspf files as jsp's.
I plan to update the prodn server to 5.5.17 to see if this will solve the problem. Unfortunately, I can not do this for a few days as the system is being used for some demo's.
I was hoping someone would say, yes I had that problem and upgrading fixed it, or what you need to do is ...!
TIA
glennm
Re: digest ignored in Data source realm -> Success
Posted by Glenn McCall <gl...@gtajb.com>.
Success!
Thanks for your reply and suggestions Chris. I don't believe that any of
your suggestions were applicable, but still greatly appreciated. I must
admit I totally missed the "conf/[hostname]/yourappname.xml " check in my
initial analysis. (Un)Fortunately that wasn't it.
I was able to upgrade the server to 5.5.17 reinstalled my war and all of a
sudden my digested password users could sign on. So that seems to be the
solution. I still can't see anything in the list of changes between 5.5.15
and 5.5.17 that seems pertinent.
Is anyone else using the DataSourceRealm with form based authentication and
digested password? Any similar experiences? My concern is that if I don't
know why it didn't work in the first place, it might stop working again in
the future! And as is typical with this scenario, no one will admit to
making any changes making it even harder to diagnose!
Thanks
Glenn Mc
----- Original Message -----
From: "Christopher Schultz" <ch...@christopherschultz.net>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, August 28, 2007 2:16 AM
Subject: Re: digest ignored in Data source realm
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Glenn,
>
> Glenn McCall wrote:
>> I have a problem where the digest element is seemingly being ignored
>> when I move my web app from development to production. The
>> application uses form based security and works just fine in
>> development.
>
> That's very strange. Are you using the same JVM in both environments?
> Are you sure that your context.xml is the same for both environments
> (or, at least, they are similar enough that the digest isn't being
> broken by a different context.xml).
>
> (FWIW, I recommend a different context.xml file for each environment;
> you can set things like the number of connections to maintain in the
> pool, etc. For us, dev /always/ contains exactly one connection - to
> detect resource leaks - and production always has many configured).
>
>> So how do I know it is being ignored as opposed to simply not
>> working? I tried pasting a SHA digested password into the password
>> field and succesfully logged in. Then I tried changing the content of
>> my valid_users table so that the password was simply set to "pass"
>> then entered "pass" as my password - lo and behold, succesful login.
>
> That's very strange... I would have expected Tomcat to bomb if it
> couldn't digest the password, rather than simply ignore the hashing
> altogether.
>
> Check to see if you have a conf/[hostname]/yourappname.xml file that
> might be overriding the one in your WAR file or webapp directory.
>
>> I plan to update the prodn server to 5.5.17 to see if this will solve
>> the problem. Unfortunately, I can not do this for a few days as the
>> system is being used for some demo's.
>
> I would recommend going all the way up to 5.5.23 or 5.5.25 (ready
> "soon") if you can do it. Lots of stuff has been fixed between then and
> now. I realize it's a big jump which requires testing.
>
> Good luck,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG0vjK9CaO5/Lv0PARAuVgAJ9lDcJisytDbJOiHZnFXygsv7T2KgCfS+vw
> MlwzBuuyxFGZ5f4nhCsGe24=
> =iJl6
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: digest ignored in Data source realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Glenn,
Glenn McCall wrote:
> I have a problem where the digest element is seemingly being ignored
> when I move my web app from development to production. The
> application uses form based security and works just fine in
> development.
That's very strange. Are you using the same JVM in both environments?
Are you sure that your context.xml is the same for both environments
(or, at least, they are similar enough that the digest isn't being
broken by a different context.xml).
(FWIW, I recommend a different context.xml file for each environment;
you can set things like the number of connections to maintain in the
pool, etc. For us, dev /always/ contains exactly one connection - to
detect resource leaks - and production always has many configured).
> So how do I know it is being ignored as opposed to simply not
> working? I tried pasting a SHA digested password into the password
> field and succesfully logged in. Then I tried changing the content of
> my valid_users table so that the password was simply set to "pass"
> then entered "pass" as my password - lo and behold, succesful login.
That's very strange... I would have expected Tomcat to bomb if it
couldn't digest the password, rather than simply ignore the hashing
altogether.
Check to see if you have a conf/[hostname]/yourappname.xml file that
might be overriding the one in your WAR file or webapp directory.
> I plan to update the prodn server to 5.5.17 to see if this will solve
> the problem. Unfortunately, I can not do this for a few days as the
> system is being used for some demo's.
I would recommend going all the way up to 5.5.23 or 5.5.25 (ready
"soon") if you can do it. Lots of stuff has been fixed between then and
now. I realize it's a big jump which requires testing.
Good luck,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG0vjK9CaO5/Lv0PARAuVgAJ9lDcJisytDbJOiHZnFXygsv7T2KgCfS+vw
MlwzBuuyxFGZ5f4nhCsGe24=
=iJl6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org