You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/12/06 12:27:42 UTC
[Bug 60446] New: SecretKeyCredentialHandler ignores key length when
matching
https://bz.apache.org/bugzilla/show_bug.cgi?id=60446
Bug ID: 60446
Summary: SecretKeyCredentialHandler ignores key length when
matching
Product: Tomcat 9
Version: 9.0.0.M13
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: jadedcyborg@gmail.com
Target Milestone: -----
Created attachment 34502
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34502&action=edit
Patch
SecretKeyCredentialHandler does not take into account the key length of the
stored credentials when matching against provided credentials, which results in
a failed authentication unless the key lenght is statically defined in XML to
be the same as the stored credentials. A patch that is tested with the 9.0, 8.5
and 8.0 trunks is provided with this bug report. The patch includes updated
unit tests.
*** Steps to Reproduce ***
1) In conf/server.xml put
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512" />
inside the UserDatabaseRealm element.
2) generate a password digest with
bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 10000 -s 8 -k 128 -h
"org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"
and put inside the password attribute in conf/tomcat-users.xml for an
appropiate user.
3) Launch tomcat (bin/startup.sh) and go to http://localhost:8080/manager/html
4) Provide the username of the user and the password YOUR_PASSWORD
*** Actual Results ***
- The user is unable to authenticate and get a 401 error
*** Expected Results ***
- The user authenticates and gain access to the management app
*** Additional Builds and Platforms ***
The bug affects all builds since the introduction of SecretKeyCredentialHandler
*** Additional Information ***
Putting
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
keyLength="128" />
inside conf/server.xml instead would enable the user to authenticate again, but
then all users must use the same key lenght.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60446] SecretKeyCredentialHandler ignores key length when
matching
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60446
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report and the patch.
A modified version of the patch was applied. The key changes were:
- return a value indicating failure rather than throw an exception
- correct the use of Tomcat's i18n support rather than remove it
- formatting tweaks to better align with existing formatting conventions
Fixed in:
- trunk for 9.0.0.M16 onwards
- 8.5.x for 8.5.10 onwards
- 8.0.x for 8.0.40 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org