digested passwords: unable to configure them correctly (Tomcat 9.x)...
Locked
digested passwords: unable to configure them correctly (Tomcat 9.x)...
 
|
Hi, I'm trying to configure digested password in an application. Just for
example I was trying with MD5. First of all: * OS: CentOS Linux 7 (Core) * Tomcat full version: 9.0.43 I configured the Host in this way: <Host name="tradx.sixro.io" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx" crossContext="false" reloadable="true"> <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource" maxTotal="10" maxIdle="5" maxWaitMillis="5000" username="myusr" password="mypwd" driverClassName="org.mariadb.jdbc.Driver" url="jdbc:mariadb://localhost:3306/mydb"/> <Realm resourceName="DbRealm" className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/mydb" localDataSource="true" userTable="USERS" userNameCol="USER_NAME" userCredCol="PASSWORD" userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" debug="99"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" ></CredentialHandler> </Realm> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/home/sixroio/sixro.io/tomcat/logs" prefix="tradx.sixro.io_log." suffix=".txt" pattern="common" resolveHosts="false"/> </Context> </Host> The authentication fails. For testing purposes I created a username usr with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b Enabling details in logs I found these rows: 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET / 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.realm.RealmBase.authenticate Digest : 3038dd372061bee3cfa5e1a510bea637 Username:usr ClientDigest:3038dd372061bee3cfa5e1a510bea637 nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 cnonce:c5513c3d36b6b643 qop:auth realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server digest:a66b50234577cb13076d3a117102c955 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test but I can't understand the debug message in the last but not least row. Just to exclude other errors I tried commenting the CredentialHandler and I can login if I try with usr / c4ca4238a0b923820dcc509a6f75849b I don't catch what I made wrong. Can you help me? Regards R P.S. I tried also to put the jdbc config in global just for test putting localDataSource to false (just for test), but it didn't work either |
Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...
|
|
Roberto,
Welcome to the Tomcat users list! (See below...) On 2/19/21 17:14, Roberto Simoni wrote: > Hi, I'm trying to configure digested password in an application. Just for > example I was trying with MD5. > First of all: > * OS: CentOS Linux 7 (Core) > * Tomcat full version: 9.0.43 Thanks for that. > I configured the Host in this way: > > <Host name="tradx.sixro.io" debug="0" appBase="webapps" unpackWARs="true" > autoDeploy="true"> > <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx" > crossContext="false" reloadable="true"> You don't want your <Context> defined here. http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context > <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource" > maxTotal="10" maxIdle="5" maxWaitMillis="5000" > username="myusr" password="mypwd" > driverClassName="org.mariadb.jdbc.Driver" > url="jdbc:mariadb://localhost:3306/mydb"/> > > <Realm resourceName="DbRealm" > className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/mydb" localDataSource="true" > userTable="USERS" userNameCol="USER_NAME" userCredCol="PASSWORD" > userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" debug="99"> > <CredentialHandler > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > algorithm="MD5" ></CredentialHandler> Note that MD5 is super, super sucky. > </Realm> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="/home/sixroio/sixro.io/tomcat/logs" > prefix="tradx.sixro.io_log." suffix=".txt" > pattern="common" resolveHosts="false"/> > </Context> > </Host> > > The authentication fails. For testing purposes I created a username usr > with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b > > Enabling details in logs I found these rows: > 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.authenticator.AuthenticatorBase.invoke Security > checking request GET / > 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > hasUserDataPermission() > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.hasUserDataPermission User data > constraint has no restrictions > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > authenticate() > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.authenticate Digest : > 3038dd372061bee3cfa5e1a510bea637 Username:usr > ClientDigest:3038dd372061bee3cfa5e1a510bea637 > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 > cnonce:c5513c3d36b6b643 qop:auth > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server > digest:a66b50234577cb13076d3a117102c955 > 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed > authenticate() test You are using HTTP-Digest authentication which is not what you have configured for your CredentialHandler. There is some confusing naming, here. Java has a class called MessageDigest which takes bytes and produces signatures. In the industry, it's sometimes now called "digesting" which is IMO confusing and wrong. It would be better to call it "hashing" because it doesn't conflict with other uses of that word. HTTP-Digest is an authentication system which does some hand-wavy magic[1] to hide your password from going over the network if you are using unencrypted channels. This was great back in 1995 but it's a bad system IMO because the server needs to have your cleartext password in order to perform authentication. There are ways to store "not the cleartext" on the server-side, but they are even more awkward. I would recommend: 1. Use TLS for security 2. Use HTTP Basic authentication for simplicity 3. Don't use MD5 :) You can't securely use #2 without #1. To change from HTTP-Digest to HTTP-Basic, just change your web.xml: <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> You are still using "digested"/"hashed" passwords on the server-side, so don't worry about that. Might I suggest that you consider using a better hashing algorithm than MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or bcrypt? I'd recommend reading this: https://tomcat.apache.org/presentations.html#latest-credential-security Hope that helps, -chris --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...
|
|
Thanks Christopher. It works.
I through I had already changed to BASIC... did you understand that I was using DIGEST looking into those logs? Anyway yes I do not want to use MD5, but I was just testing the whole login. But thanks for the suggestion. Cheers R Il giorno sab 20 feb 2021 alle ore 15:53 Christopher Schultz < [hidden email]> ha scritto: > Roberto, > > Welcome to the Tomcat users list! (See below...) > > On 2/19/21 17:14, Roberto Simoni wrote: > > Hi, I'm trying to configure digested password in an application. Just for > > example I was trying with MD5. > > First of all: > > * OS: CentOS Linux 7 (Core) > > * Tomcat full version: 9.0.43 > > Thanks for that. > > > I configured the Host in this way: > > > > <Host name="tradx.sixro.io" debug="0" appBase="webapps" > unpackWARs="true" > > autoDeploy="true"> > > <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx > " > > crossContext="false" reloadable="true"> > > You don't want your <Context> defined here. > > http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context > > > <Resource name="jdbc/mydb" auth="Container" > type="javax.sql.DataSource" > > maxTotal="10" maxIdle="5" maxWaitMillis="5000" > > username="myusr" password="mypwd" > > driverClassName="org.mariadb.jdbc.Driver" > > url="jdbc:mariadb://localhost:3306/mydb"/> > > > > <Realm resourceName="DbRealm" > > className="org.apache.catalina.realm.DataSourceRealm" > > dataSourceName="jdbc/mydb" localDataSource="true" > > userTable="USERS" userNameCol="USER_NAME" > userCredCol="PASSWORD" > > userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" > debug="99"> > > <CredentialHandler > > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > > algorithm="MD5" ></CredentialHandler> > > Note that MD5 is super, super sucky. > > > </Realm> > > > > <Valve className="org.apache.catalina.valves.AccessLogValve" > > directory="/home/sixroio/sixro.io/tomcat/logs" > > prefix="tradx.sixro.io_log." suffix=".txt" > > pattern="common" resolveHosts="false"/> > > </Context> > > </Host> > > > > The authentication fails. For testing purposes I created a username usr > > with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b > > > > Enabling details in logs I found these rows: > > 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Security > > checking request GET / > > 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> > false > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> > false > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > > hasUserDataPermission() > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.hasUserDataPermission User data > > constraint has no restrictions > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > > authenticate() > > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.authenticate Digest : > > 3038dd372061bee3cfa5e1a510bea637 Username:usr > > ClientDigest:3038dd372061bee3cfa5e1a510bea637 > > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 > > cnonce:c5513c3d36b6b643 qop:auth > > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server > > digest:a66b50234577cb13076d3a117102c955 > > 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed > > authenticate() test > > You are using HTTP-Digest authentication which is not what you have > configured for your CredentialHandler. > > There is some confusing naming, here. Java has a class called > MessageDigest which takes bytes and produces signatures. In the > industry, it's sometimes now called "digesting" which is IMO confusing > and wrong. It would be better to call it "hashing" because it doesn't > conflict with other uses of that word. > > HTTP-Digest is an authentication system which does some hand-wavy > magic[1] to hide your password from going over the network if you are > using unencrypted channels. This was great back in 1995 but it's a bad > system IMO because the server needs to have your cleartext password in > order to perform authentication. There are ways to store "not the > cleartext" on the server-side, but they are even more awkward. > > I would recommend: > > 1. Use TLS for security > 2. Use HTTP Basic authentication for simplicity > 3. Don't use MD5 :) > > You can't securely use #2 without #1. > > To change from HTTP-Digest to HTTP-Basic, just change your web.xml: > > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>file</realm-name> > </login-config> > > You are still using "digested"/"hashed" passwords on the server-side, so > don't worry about that. > > Might I suggest that you consider using a better hashing algorithm than > MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or > bcrypt? > > I'd recommend reading this: > https://tomcat.apache.org/presentations.html#latest-credential-security > > Hope that helps, > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [hidden email] > For additional commands, e-mail: [hidden email] > > |
Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...
|
|
Roberto,
On 2/20/21 12:05, Roberto Simoni wrote: > Thanks Christopher. It works. > I through I had already changed to BASIC... did you understand that I was > using DIGEST looking into those logs? Yes. Specifically, this part: > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] > org.apache.catalina.realm.RealmBase.authenticate Digest : > 3038dd372061bee3cfa5e1a510bea637 Username:usr > ClientDigest:3038dd372061bee3cfa5e1a510bea637 > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 > cnonce:c5513c3d36b6b643 qop:auth > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server > digest:a66b50234577cb13076d3a117102c955 It mentions a number of HTTP-Digest things: - nonce - realm - client digest - digest -chris > Anyway yes I do not want to use MD5, but I was just testing the whole > login. But thanks for the suggestion. > Cheers > R > > > Il giorno sab 20 feb 2021 alle ore 15:53 Christopher Schultz < > [hidden email]> ha scritto: > >> Roberto, >> >> Welcome to the Tomcat users list! (See below...) >> >> On 2/19/21 17:14, Roberto Simoni wrote: >>> Hi, I'm trying to configure digested password in an application. Just for >>> example I was trying with MD5. >>> First of all: >>> * OS: CentOS Linux 7 (Core) >>> * Tomcat full version: 9.0.43 >> >> Thanks for that. >> >>> I configured the Host in this way: >>> >>> <Host name="tradx.sixro.io" debug="0" appBase="webapps" >> unpackWARs="true" >>> autoDeploy="true"> >>> <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx >> " >>> crossContext="false" reloadable="true"> >> >> You don't want your <Context> defined here. >> >> http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context >> >>> <Resource name="jdbc/mydb" auth="Container" >> type="javax.sql.DataSource" >>> maxTotal="10" maxIdle="5" maxWaitMillis="5000" >>> username="myusr" password="mypwd" >>> driverClassName="org.mariadb.jdbc.Driver" >>> url="jdbc:mariadb://localhost:3306/mydb"/> >>> >>> <Realm resourceName="DbRealm" >>> className="org.apache.catalina.realm.DataSourceRealm" >>> dataSourceName="jdbc/mydb" localDataSource="true" >>> userTable="USERS" userNameCol="USER_NAME" >> userCredCol="PASSWORD" >>> userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" >> debug="99"> >>> <CredentialHandler >>> className="org.apache.catalina.realm.MessageDigestCredentialHandler" >>> algorithm="MD5" ></CredentialHandler> >> >> Note that MD5 is super, super sucky. >> >>> </Realm> >>> >>> <Valve className="org.apache.catalina.valves.AccessLogValve" >>> directory="/home/sixroio/sixro.io/tomcat/logs" >>> prefix="tradx.sixro.io_log." suffix=".txt" >>> pattern="common" resolveHosts="false"/> >>> </Context> >>> </Host> >>> >>> The authentication fails. For testing purposes I created a username usr >>> with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b >>> >>> Enabling details in logs I found these rows: >>> 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Security >>> checking request GET / >>> 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking >>> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> >> false >>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking >>> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true >>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking >>> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> >> false >>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking >>> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true >>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling >>> hasUserDataPermission() >>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.hasUserDataPermission User data >>> constraint has no restrictions >>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling >>> authenticate() >>> 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.realm.RealmBase.authenticate Digest : >>> 3038dd372061bee3cfa5e1a510bea637 Username:usr >>> ClientDigest:3038dd372061bee3cfa5e1a510bea637 >>> nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 >>> cnonce:c5513c3d36b6b643 qop:auth >>> realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server >>> digest:a66b50234577cb13076d3a117102c955 >>> 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2] >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed >>> authenticate() test >> >> You are using HTTP-Digest authentication which is not what you have >> configured for your CredentialHandler. >> >> There is some confusing naming, here. Java has a class called >> MessageDigest which takes bytes and produces signatures. In the >> industry, it's sometimes now called "digesting" which is IMO confusing >> and wrong. It would be better to call it "hashing" because it doesn't >> conflict with other uses of that word. >> >> HTTP-Digest is an authentication system which does some hand-wavy >> magic[1] to hide your password from going over the network if you are >> using unencrypted channels. This was great back in 1995 but it's a bad >> system IMO because the server needs to have your cleartext password in >> order to perform authentication. There are ways to store "not the >> cleartext" on the server-side, but they are even more awkward. >> >> I would recommend: >> >> 1. Use TLS for security >> 2. Use HTTP Basic authentication for simplicity >> 3. Don't use MD5 :) >> >> You can't securely use #2 without #1. >> >> To change from HTTP-Digest to HTTP-Basic, just change your web.xml: >> >> <login-config> >> <auth-method>BASIC</auth-method> >> <realm-name>file</realm-name> >> </login-config> >> >> You are still using "digested"/"hashed" passwords on the server-side, so >> don't worry about that. >> >> Might I suggest that you consider using a better hashing algorithm than >> MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or >> bcrypt? >> >> I'd recommend reading this: >> https://tomcat.apache.org/presentations.html#latest-credential-security >> >> Hope that helps, >> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [hidden email] >> For additional commands, e-mail: [hidden email] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
«
Return to Tomcat - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |