You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2023/11/05 15:16:18 UTC
Re: Accessing Credential handler inside the web application always returns null
Азат,
On 10/31/23 13:53, Усманов Азат Анварович wrote:
> Hi everyone! CredentialHandler became not null, as soon as I
> transferred Realm definition from server.xml to context.xml(after
> checking the source code) .I've been able to see the new pbkdf2
> version of the given clear text password even with old 9.0.64
> version. I was wondering is the necessity to have realm defined
> inside context. xml for accessing CredentialHandler a design decision
> or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
> documentation. Perhaps it should be added in the docs.
Hmm... it shouldn't matter if you define your <Realm> in server.xml or
in app/META-INF/context.xml. Are you sure that was the only difference
between working/not-working configurations?
Thanks,
-chris
> ________________________________
> От: Усманов Азат Анварович <us...@ieml.ru>
> Отправлено: 30 октября 2023 г. 20:25
> Кому: users@tomcat.apache.org <us...@tomcat.apache.org>
> Тема: RE: Accessing Credential handler inside the web application always returns null
>
> I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is still null
> ________________________________
> От: Christopher Schultz <ch...@christopherschultz.net>
> Отправлено: 30 октября 2023 г. 18:52
> Кому: Tomcat Users List <us...@tomcat.apache.org>; Усманов Азат Анварович <us...@ieml.ru>
> Тема: Re: Accessing Credential handler inside the web application always returns null
>
> Азат,
>
> On 10/29/23 20:45, Усманов Азат Анварович wrote:
>> Hi everyone!I'm trying to test CredentialHandeler functionality on our test server (Tomcat 9.0.64) inside the web-app
>> I Our realm is defined as follows( excerpt from server.xml
>> )
>> <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users">
>> <CredentialHandler className="org.apache.catalina.realm.NestedCredentialHandler">
>> <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>> </CredentialHandler>
>> </Realm>
>> Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic login controller code (LoginCheckServlet)
>> LoginCheckServlet
>>
>> protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
>> ...
>> String userName = request.getParameter("j_username");
>> String password = request.getParameter("j_password");
>> HttpSession session = request.getSession();
>>
>> UserRecord user=... //load data from db
>> if (user.checkCorrectPassword(password,session.getServletContext())) {
>> CredentialHandler cr=Security.getCredentialHandler(getServletContext());
>> System.out.println(cr.mutate(password));// hoping to see my password displayed as pbkdf2 hash
>>
>> .....
>> }
>>
>> Security.getCredentialHandler
>>
>> public static CredentialHandler getCredentialHandler(final ServletContext context) {
>> System.out.println("context"+context) ;// prints contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
>> System.out.println("context vs"+context.getMajorVersion()); // prints 4
>> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always prints ATRIB null
>> return (CredentialHandler) context.getAttribute(Globals.CREDENTIAL_HANDLER);
>> }
>
> Your code and configuration looks reasonable to me.
>
>> So basically it always return null when trying to access
>> CredentialHandler attribute inside Security.getCredentialHandler
>> method,Any idea why it might be the case ?
> Are you able to re-try with Tomcat 9.0.70 or later? There is a
> changelog[1] entry which may be important for you:
>
> "
> Fix: Improve the behavior of the credential handler attribute that is
> set in the Servlet context so that it actually reflects what is used
> during authentication. (remm)
> "
>
> There was a problem specifically with the NestedCredentialHandler, I
> think, which was not working as expected. 9.0.70 includes a fix that
> should improve things for you.
>
> -chris
>
>
> [1]
> https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Accessing Credential handler inside the web application always returns null
Posted by Mark Thomas <ma...@apache.org>.
On 12/11/2023 23:01, Усманов Азат Анварович wrote:
> Sorry for delayed response, Once I comment out the CredentialHandler in context xml both in my app's context.xml and in global context.xml, and add realm to server.xml. CredentialHandler returns null once again.
This is by design.
The context attribute is only populated if the Realm is defined on the
context.
I think you'll need to use reflect to get at the information you want.
Mark
> ________________________________
> От: Christopher Schultz <ch...@christopherschultz.net>
> Отправлено: 5 ноября 2023 г. 18:16
> Кому: users@tomcat.apache.org <us...@tomcat.apache.org>
> Тема: Re: Accessing Credential handler inside the web application always returns null
>
> Азат,
>
> On 10/31/23 13:53, Усманов Азат Анварович wrote:
>> Hi everyone! CredentialHandler became not null, as soon as I
>> transferred Realm definition from server.xml to context.xml(after
>> checking the source code) .I've been able to see the new pbkdf2
>> version of the given clear text password even with old 9.0.64
>> version. I was wondering is the necessity to have realm defined
>> inside context. xml for accessing CredentialHandler a design decision
>> or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
>> documentation. Perhaps it should be added in the docs.
> Hmm... it shouldn't matter if you define your <Realm> in server.xml or
> in app/META-INF/context.xml. Are you sure that was the only difference
> between working/not-working configurations?
>
> Thanks,
> -chris
>
>> ________________________________
>> От: Усманов Азат Анварович <us...@ieml.ru>
>> Отправлено: 30 октября 2023 г. 20:25
>> Кому: users@tomcat.apache.org <us...@tomcat.apache.org>
>> Тема: RE: Accessing Credential handler inside the web application always returns null
>>
>> I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is still null
>> ________________________________
>> От: Christopher Schultz <ch...@christopherschultz.net>
>> Отправлено: 30 октября 2023 г. 18:52
>> Кому: Tomcat Users List <us...@tomcat.apache.org>; Усманов Азат Анварович <us...@ieml.ru>
>> Тема: Re: Accessing Credential handler inside the web application always returns null
>>
>> Азат,
>>
>> On 10/29/23 20:45, Усманов Азат Анварович wrote:
>>> Hi everyone!I'm trying to test CredentialHandeler functionality on our test server (Tomcat 9.0.64) inside the web-app
>>> I Our realm is defined as follows( excerpt from server.xml
>>> )
>>> <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users">
>>> <CredentialHandler className="org.apache.catalina.realm.NestedCredentialHandler">
>>> <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>>> </CredentialHandler>
>>> </Realm>
>>> Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic login controller code (LoginCheckServlet)
>>> LoginCheckServlet
>>>
>>> protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
>>> ...
>>> String userName = request.getParameter("j_username");
>>> String password = request.getParameter("j_password");
>>> HttpSession session = request.getSession();
>>>
>>> UserRecord user=... //load data from db
>>> if (user.checkCorrectPassword(password,session.getServletContext())) {
>>> CredentialHandler cr=Security.getCredentialHandler(getServletContext());
>>> System.out.println(cr.mutate(password));// hoping to see my password displayed as pbkdf2 hash
>>>
>>> .....
>>> }
>>>
>>> Security.getCredentialHandler
>>>
>>> public static CredentialHandler getCredentialHandler(final ServletContext context) {
>>> System.out.println("context"+context) ;// prints contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
>>> System.out.println("context vs"+context.getMajorVersion()); // prints 4
>>> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always prints ATRIB null
>>> return (CredentialHandler) context.getAttribute(Globals.CREDENTIAL_HANDLER);
>>> }
>>
>> Your code and configuration looks reasonable to me.
>>
>>> So basically it always return null when trying to access
>>> CredentialHandler attribute inside Security.getCredentialHandler
>>> method,Any idea why it might be the case ?
>> Are you able to re-try with Tomcat 9.0.70 or later? There is a
>> changelog[1] entry which may be important for you:
>>
>> "
>> Fix: Improve the behavior of the credential handler attribute that is
>> set in the Servlet context so that it actually reflects what is used
>> during authentication. (remm)
>> "
>>
>> There was a problem specifically with the NestedCredentialHandler, I
>> think, which was not working as expected. 9.0.70 includes a fix that
>> should improve things for you.
>>
>> -chris
>>
>>
>> [1]
>> https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Accessing Credential handler inside the web application always returns null
Posted by Усманов Азат Анварович <us...@ieml.ru>.
Sorry for delayed response, Once I comment out the CredentialHandler in context xml both in my app's context.xml and in global context.xml, and add realm to server.xml. CredentialHandler returns null once again.
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 5 ноября 2023 г. 18:16
Кому: users@tomcat.apache.org <us...@tomcat.apache.org>
Тема: Re: Accessing Credential handler inside the web application always returns null
Азат,
On 10/31/23 13:53, Усманов Азат Анварович wrote:
> Hi everyone! CredentialHandler became not null, as soon as I
> transferred Realm definition from server.xml to context.xml(after
> checking the source code) .I've been able to see the new pbkdf2
> version of the given clear text password even with old 9.0.64
> version. I was wondering is the necessity to have realm defined
> inside context. xml for accessing CredentialHandler a design decision
> or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
> documentation. Perhaps it should be added in the docs.
Hmm... it shouldn't matter if you define your <Realm> in server.xml or
in app/META-INF/context.xml. Are you sure that was the only difference
between working/not-working configurations?
Thanks,
-chris
> ________________________________
> От: Усманов Азат Анварович <us...@ieml.ru>
> Отправлено: 30 октября 2023 г. 20:25
> Кому: users@tomcat.apache.org <us...@tomcat.apache.org>
> Тема: RE: Accessing Credential handler inside the web application always returns null
>
> I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is still null
> ________________________________
> От: Christopher Schultz <ch...@christopherschultz.net>
> Отправлено: 30 октября 2023 г. 18:52
> Кому: Tomcat Users List <us...@tomcat.apache.org>; Усманов Азат Анварович <us...@ieml.ru>
> Тема: Re: Accessing Credential handler inside the web application always returns null
>
> Азат,
>
> On 10/29/23 20:45, Усманов Азат Анварович wrote:
>> Hi everyone!I'm trying to test CredentialHandeler functionality on our test server (Tomcat 9.0.64) inside the web-app
>> I Our realm is defined as follows( excerpt from server.xml
>> )
>> <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users">
>> <CredentialHandler className="org.apache.catalina.realm.NestedCredentialHandler">
>> <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
>> </CredentialHandler>
>> </Realm>
>> Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic login controller code (LoginCheckServlet)
>> LoginCheckServlet
>>
>> protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
>> ...
>> String userName = request.getParameter("j_username");
>> String password = request.getParameter("j_password");
>> HttpSession session = request.getSession();
>>
>> UserRecord user=... //load data from db
>> if (user.checkCorrectPassword(password,session.getServletContext())) {
>> CredentialHandler cr=Security.getCredentialHandler(getServletContext());
>> System.out.println(cr.mutate(password));// hoping to see my password displayed as pbkdf2 hash
>>
>> .....
>> }
>>
>> Security.getCredentialHandler
>>
>> public static CredentialHandler getCredentialHandler(final ServletContext context) {
>> System.out.println("context"+context) ;// prints contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
>> System.out.println("context vs"+context.getMajorVersion()); // prints 4
>> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always prints ATRIB null
>> return (CredentialHandler) context.getAttribute(Globals.CREDENTIAL_HANDLER);
>> }
>
> Your code and configuration looks reasonable to me.
>
>> So basically it always return null when trying to access
>> CredentialHandler attribute inside Security.getCredentialHandler
>> method,Any idea why it might be the case ?
> Are you able to re-try with Tomcat 9.0.70 or later? There is a
> changelog[1] entry which may be important for you:
>
> "
> Fix: Improve the behavior of the credential handler attribute that is
> set in the Servlet context so that it actually reflects what is used
> during authentication. (remm)
> "
>
> There was a problem specifically with the NestedCredentialHandler, I
> think, which was not working as expected. 9.0.70 includes a fix that
> should improve things for you.
>
> -chris
>
>
> [1]
> https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org