You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/11/15 17:26:00 UTC
[Bug 66349] New: Why does LockOutRealm not support CredentialHandler?
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Bug ID: 66349
Summary: Why does LockOutRealm not support CredentialHandler?
Product: Tomcat 10
Version: 10.0.0
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Authentication
Assignee: dev@tomcat.apache.org
Reporter: tschoening@am-soft.de
Target Milestone: ------
I have some webapp hosted by Tomcat and need to restrict user access to some
part of that. One additional requirement is that this app needs to be CIS
benchmark compliant and that requires to use LockOutRealm and restricts to
store plain-text passwords. Therefore, the ultimate solution in my case would
be the following:
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
> <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
> algorithm="PBKDF2WithHmacSHA512"
> iterations="100000"
> keyLength="256"
> saltLength="16"
> />
> </Realm>
> </Realm>
But that doesn't work, because LockOutRealm ignores any credential handler.
Additionally, with my used Tomcat 10, I'm unable to set any "digest" attribute
on the realm itself anymore as well. The only way to fulfill both requirements
is to implement a custom realm.
> Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm setCredentialHandler
> WARNUNG: A CredentialHandler was set on an instance of the
> CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm
> doesn't use a configured CredentialHandler. Is this a configuration
> error?
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm
So, what's the reason of not supporting credential handlers for LockOutRealm?
Doesn't make too much sense to me, especially as most docs I came across use
LockOutRealm in combination with some other realm and there's no docs that a
fundamental concept like credential helpers will only work very limited in this
setup. Additionally, when researching about that task, some people even claim
that the above XML config works, but it simply can't. I don't see any code in
LockOutRealm to ask other realms about their credential handlers.
I've had a look at the bugtracker already and couldn't find this topic
discussed or a reason for the implementation. OTOH, someone did add some code
to explicitly log a warning message instead of fixing the underlying problem,
so most likely had some reason to do so.
Is the problem really to decide which of the child realms to choose for its
credential handler to use? In the easiest case simply use the first credential
handler found with a depth-first search, that should work for the majority of
use-cases. Other aspects of the config like default assumed nesting level of
realms and stuff seems to be hard-coded as well.
Would be glad to read about the reasons and at best if this could be enhanced.
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66349] Why does LockOutRealm not support CredentialHandler?
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
OS| |All
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Thorsten Schöning from comment #0)
> So, what's the reason of not supporting credential handlers for LockOutRealm?
The code says they are supported. Are you having a problem, or are you
reporting that a WARNING in the logs is making you uncomfortable?
The WARNING you posted should only occur if you are setting a CredentialHandler
directly on the LockoutRealm, but your configuration shows you have it nested
inside the UserDatabaseRealm. Something seems off.
> So, what's the reason of not supporting credential handlers for LockOutRealm?
I assert that Tomcat *does* support credentials handlers on LockOutRealm. What
is your evidence that they are not supported?
> Additionally, when researching about that task, some people even claim that the above XML config works, but it simply can't.
Why not?
> I don't see any code in LockOutRealm to ask other realms about their credential handlers.
Is that kind of thing required? If so, why?
> OTOH, someone did add some code to explicitly log a warning message instead of fixing the underlying problem, so most likely had some reason to do so.
What underlying problem needs fixing that hasn't been fixed?
Since you have asked this same question on the users' list, let's continue to
discuss it there, as Bugzilla is not a support forum. We can come back to this
bug if there really is something to be done.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66349] Why does LockOutRealm not support CredentialHandler?
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|WORKSFORME |INVALID
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66349] Why does LockOutRealm not support CredentialHandler?
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Thorsten Schöning <ts...@am-soft.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #2 from Thorsten Schöning <ts...@am-soft.de> ---
I was wrong, the setup DOES work as intended now. Looking at my configs again,
I recognized that auth-method in web.xml was still configured to DIGEST instead
of BASIC and DIGEST in combination with a digest as password in
tomcat-users.xml doesn't work. That's most likely simply the reason why login
using the DIGEST instead of the original clear-text-password worked.
Changing things back to BASIC, checking configured realms and the credential
helper again, putting the correctly digested password into tomcat-users.xml
etc. made the login work as expected. I have a secure DIGEST in
tomcat-users.xml now, but need to provide the plain-text password in the
browser.
I guess the reason for LockOutRealm warning about an explicitly configured
credential handler is that LockOutRealm itself doesn't mutate passwords on its
own for login purposes. It forwards to other realms only and those seem to take
THEIR configured credential handlers into account properly, at least in my
described setup.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org