digested passwords: unable to configure them correctly (Tomcat 9.x)...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

digested passwords: unable to configure them correctly (Tomcat 9.x)...

Roberto Simoni
Hi, I'm trying to configure digested password in an application. Just for
example I was trying with MD5.
First of all:
  * OS: CentOS Linux 7 (Core)
  * Tomcat full version: 9.0.43

I configured the Host in this way:

<Host name="tradx.sixro.io" debug="0" appBase="webapps" unpackWARs="true"
autoDeploy="true">
  <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx"
crossContext="false" reloadable="true">
    <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource"
            maxTotal="10" maxIdle="5" maxWaitMillis="5000"
            username="myusr" password="mypwd"
driverClassName="org.mariadb.jdbc.Driver"
            url="jdbc:mariadb://localhost:3306/mydb"/>

    <Realm resourceName="DbRealm"
className="org.apache.catalina.realm.DataSourceRealm"
            dataSourceName="jdbc/mydb" localDataSource="true"
            userTable="USERS" userNameCol="USER_NAME" userCredCol="PASSWORD"
            userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" debug="99">
      <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" ></CredentialHandler>
    </Realm>

     <Valve className="org.apache.catalina.valves.AccessLogValve"
                 directory="/home/sixroio/sixro.io/tomcat/logs"
                 prefix="tradx.sixro.io_log." suffix=".txt"
                 pattern="common" resolveHosts="false"/>
  </Context>
</Host>

The authentication fails. For testing purposes I created a username usr
with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b

Enabling details in logs I found these rows:
19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /
19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions
19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.realm.RealmBase.authenticate Digest :
3038dd372061bee3cfa5e1a510bea637 Username:usr
ClientDigest:3038dd372061bee3cfa5e1a510bea637
nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
cnonce:c5513c3d36b6b643 qop:auth
realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
digest:a66b50234577cb13076d3a117102c955
19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test

but I can't understand the debug message in the last but not least row.
Just to exclude other errors I tried commenting the CredentialHandler and I
can login if I try with usr / c4ca4238a0b923820dcc509a6f75849b

I don't catch what I made wrong.
Can you help me?

Regards
  R

P.S.  I tried also to put the jdbc config in global just for test putting
localDataSource to false (just for test), but it didn't work either
Reply | Threaded
Open this post in threaded view
|

Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...

Christopher Schultz-2
Roberto,

Welcome to the Tomcat users list! (See below...)

On 2/19/21 17:14, Roberto Simoni wrote:
> Hi, I'm trying to configure digested password in an application. Just for
> example I was trying with MD5.
> First of all:
>    * OS: CentOS Linux 7 (Core)
>    * Tomcat full version: 9.0.43

Thanks for that.

> I configured the Host in this way:
>
> <Host name="tradx.sixro.io" debug="0" appBase="webapps" unpackWARs="true"
> autoDeploy="true">
>    <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx"
> crossContext="false" reloadable="true">

You don't want your <Context> defined here.
http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context

>      <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource"
>              maxTotal="10" maxIdle="5" maxWaitMillis="5000"
>              username="myusr" password="mypwd"
> driverClassName="org.mariadb.jdbc.Driver"
>              url="jdbc:mariadb://localhost:3306/mydb"/>
>
>      <Realm resourceName="DbRealm"
> className="org.apache.catalina.realm.DataSourceRealm"
>              dataSourceName="jdbc/mydb" localDataSource="true"
>              userTable="USERS" userNameCol="USER_NAME" userCredCol="PASSWORD"
>              userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" debug="99">
>        <CredentialHandler
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="MD5" ></CredentialHandler>

Note that MD5 is super, super sucky.

>      </Realm>
>
>       <Valve className="org.apache.catalina.valves.AccessLogValve"
>                   directory="/home/sixroio/sixro.io/tomcat/logs"
>                   prefix="tradx.sixro.io_log." suffix=".txt"
>                   pattern="common" resolveHosts="false"/>
>    </Context>
> </Host>
>
> The authentication fails. For testing purposes I created a username usr
> with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b
>
> Enabling details in logs I found these rows:
> 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
> checking request GET /
> 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> false
> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> hasUserDataPermission()
> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
> constraint has no restrictions
> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> authenticate()
> 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.realm.RealmBase.authenticate Digest :
> 3038dd372061bee3cfa5e1a510bea637 Username:usr
> ClientDigest:3038dd372061bee3cfa5e1a510bea637
> nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
> cnonce:c5513c3d36b6b643 qop:auth
> realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
> digest:a66b50234577cb13076d3a117102c955
> 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
> authenticate() test

You are using HTTP-Digest authentication which is not what you have
configured for your CredentialHandler.

There is some confusing naming, here. Java has a class called
MessageDigest which takes bytes and produces signatures. In the
industry, it's sometimes now called "digesting" which is IMO confusing
and wrong. It would be better to call it "hashing" because it doesn't
conflict with other uses of that word.

HTTP-Digest is an authentication system which does some hand-wavy
magic[1] to hide your password from going over the network if you are
using unencrypted channels. This was great back in 1995 but it's a bad
system IMO because the server needs to have your cleartext password in
order to perform authentication. There are ways to store "not the
cleartext" on the server-side, but they are even more awkward.

I would recommend:

1. Use TLS for security
2. Use HTTP Basic authentication for simplicity
3. Don't use MD5 :)

You can't securely use #2 without #1.

To change from HTTP-Digest to HTTP-Basic, just change your web.xml:

<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>file</realm-name>
</login-config>

You are still using "digested"/"hashed" passwords on the server-side, so
don't worry about that.

Might I suggest that you consider using a better hashing algorithm than
MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or
bcrypt?

I'd recommend reading this:
https://tomcat.apache.org/presentations.html#latest-credential-security

Hope that helps,
-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...

Roberto Simoni
Thanks Christopher. It works.
I through I had already changed to BASIC... did you understand that I was
using DIGEST looking into those logs?
Anyway yes I do not want to use MD5, but I was just testing the whole
login. But thanks for the suggestion.
Cheers
  R


Il giorno sab 20 feb 2021 alle ore 15:53 Christopher Schultz <
[hidden email]> ha scritto:

> Roberto,
>
> Welcome to the Tomcat users list! (See below...)
>
> On 2/19/21 17:14, Roberto Simoni wrote:
> > Hi, I'm trying to configure digested password in an application. Just for
> > example I was trying with MD5.
> > First of all:
> >    * OS: CentOS Linux 7 (Core)
> >    * Tomcat full version: 9.0.43
>
> Thanks for that.
>
> > I configured the Host in this way:
> >
> > <Host name="tradx.sixro.io" debug="0" appBase="webapps"
> unpackWARs="true"
> > autoDeploy="true">
> >    <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx
> "
> > crossContext="false" reloadable="true">
>
> You don't want your <Context> defined here.
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context
>
> >      <Resource name="jdbc/mydb" auth="Container"
> type="javax.sql.DataSource"
> >              maxTotal="10" maxIdle="5" maxWaitMillis="5000"
> >              username="myusr" password="mypwd"
> > driverClassName="org.mariadb.jdbc.Driver"
> >              url="jdbc:mariadb://localhost:3306/mydb"/>
> >
> >      <Realm resourceName="DbRealm"
> > className="org.apache.catalina.realm.DataSourceRealm"
> >              dataSourceName="jdbc/mydb" localDataSource="true"
> >              userTable="USERS" userNameCol="USER_NAME"
> userCredCol="PASSWORD"
> >              userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME"
> debug="99">
> >        <CredentialHandler
> > className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> > algorithm="MD5" ></CredentialHandler>
>
> Note that MD5 is super, super sucky.
>
> >      </Realm>
> >
> >       <Valve className="org.apache.catalina.valves.AccessLogValve"
> >                   directory="/home/sixroio/sixro.io/tomcat/logs"
> >                   prefix="tradx.sixro.io_log." suffix=".txt"
> >                   pattern="common" resolveHosts="false"/>
> >    </Context>
> > </Host>
> >
> > The authentication fails. For testing purposes I created a username usr
> > with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b
> >
> > Enabling details in logs I found these rows:
> > 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
> > checking request GET /
> > 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
> false
> > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
> > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
> false
> > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
> > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
> > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> > hasUserDataPermission()
> > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
> > constraint has no restrictions
> > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> > authenticate()
> > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.realm.RealmBase.authenticate Digest :
> > 3038dd372061bee3cfa5e1a510bea637 Username:usr
> > ClientDigest:3038dd372061bee3cfa5e1a510bea637
> > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
> > cnonce:c5513c3d36b6b643 qop:auth
> > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
> > digest:a66b50234577cb13076d3a117102c955
> > 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
> > authenticate() test
>
> You are using HTTP-Digest authentication which is not what you have
> configured for your CredentialHandler.
>
> There is some confusing naming, here. Java has a class called
> MessageDigest which takes bytes and produces signatures. In the
> industry, it's sometimes now called "digesting" which is IMO confusing
> and wrong. It would be better to call it "hashing" because it doesn't
> conflict with other uses of that word.
>
> HTTP-Digest is an authentication system which does some hand-wavy
> magic[1] to hide your password from going over the network if you are
> using unencrypted channels. This was great back in 1995 but it's a bad
> system IMO because the server needs to have your cleartext password in
> order to perform authentication. There are ways to store "not the
> cleartext" on the server-side, but they are even more awkward.
>
> I would recommend:
>
> 1. Use TLS for security
> 2. Use HTTP Basic authentication for simplicity
> 3. Don't use MD5 :)
>
> You can't securely use #2 without #1.
>
> To change from HTTP-Digest to HTTP-Basic, just change your web.xml:
>
> <login-config>
>      <auth-method>BASIC</auth-method>
>      <realm-name>file</realm-name>
> </login-config>
>
> You are still using "digested"/"hashed" passwords on the server-side, so
> don't worry about that.
>
> Might I suggest that you consider using a better hashing algorithm than
> MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or
> bcrypt?
>
> I'd recommend reading this:
> https://tomcat.apache.org/presentations.html#latest-credential-security
>
> Hope that helps,
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: digested passwords: unable to configure them correctly (Tomcat 9.x)...

Christopher Schultz-2
Roberto,

On 2/20/21 12:05, Roberto Simoni wrote:
> Thanks Christopher. It works.
> I through I had already changed to BASIC... did you understand that I was
> using DIGEST looking into those logs?

Yes. Specifically, this part:

 > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
 > org.apache.catalina.realm.RealmBase.authenticate Digest :
 > 3038dd372061bee3cfa5e1a510bea637 Username:usr
 > ClientDigest:3038dd372061bee3cfa5e1a510bea637
 > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
 > cnonce:c5513c3d36b6b643 qop:auth
 > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
 > digest:a66b50234577cb13076d3a117102c955

It mentions a number of HTTP-Digest things:

- nonce
- realm
- client digest
- digest

-chris

> Anyway yes I do not want to use MD5, but I was just testing the whole
> login. But thanks for the suggestion.
> Cheers
>    R
>
>
> Il giorno sab 20 feb 2021 alle ore 15:53 Christopher Schultz <
> [hidden email]> ha scritto:
>
>> Roberto,
>>
>> Welcome to the Tomcat users list! (See below...)
>>
>> On 2/19/21 17:14, Roberto Simoni wrote:
>>> Hi, I'm trying to configure digested password in an application. Just for
>>> example I was trying with MD5.
>>> First of all:
>>>     * OS: CentOS Linux 7 (Core)
>>>     * Tomcat full version: 9.0.43
>>
>> Thanks for that.
>>
>>> I configured the Host in this way:
>>>
>>> <Host name="tradx.sixro.io" debug="0" appBase="webapps"
>> unpackWARs="true"
>>> autoDeploy="true">
>>>     <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx
>> "
>>> crossContext="false" reloadable="true">
>>
>> You don't want your <Context> defined here.
>>
>> http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context
>>
>>>       <Resource name="jdbc/mydb" auth="Container"
>> type="javax.sql.DataSource"
>>>               maxTotal="10" maxIdle="5" maxWaitMillis="5000"
>>>               username="myusr" password="mypwd"
>>> driverClassName="org.mariadb.jdbc.Driver"
>>>               url="jdbc:mariadb://localhost:3306/mydb"/>
>>>
>>>       <Realm resourceName="DbRealm"
>>> className="org.apache.catalina.realm.DataSourceRealm"
>>>               dataSourceName="jdbc/mydb" localDataSource="true"
>>>               userTable="USERS" userNameCol="USER_NAME"
>> userCredCol="PASSWORD"
>>>               userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME"
>> debug="99">
>>>         <CredentialHandler
>>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>>> algorithm="MD5" ></CredentialHandler>
>>
>> Note that MD5 is super, super sucky.
>>
>>>       </Realm>
>>>
>>>        <Valve className="org.apache.catalina.valves.AccessLogValve"
>>>                    directory="/home/sixroio/sixro.io/tomcat/logs"
>>>                    prefix="tradx.sixro.io_log." suffix=".txt"
>>>                    pattern="common" resolveHosts="false"/>
>>>     </Context>
>>> </Host>
>>>
>>> The authentication fails. For testing purposes I created a username usr
>>> with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b
>>>
>>> Enabling details in logs I found these rows:
>>> 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
>>> checking request GET /
>>> 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
>>> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
>> false
>>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
>>> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
>>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
>>> constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp -->
>> false
>>> 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
>>> constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true
>>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
>>> hasUserDataPermission()
>>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
>>> constraint has no restrictions
>>> 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
>>> authenticate()
>>> 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.realm.RealmBase.authenticate Digest :
>>> 3038dd372061bee3cfa5e1a510bea637 Username:usr
>>> ClientDigest:3038dd372061bee3cfa5e1a510bea637
>>> nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002
>>> cnonce:c5513c3d36b6b643 qop:auth
>>> realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server
>>> digest:a66b50234577cb13076d3a117102c955
>>> 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2]
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
>>> authenticate() test
>>
>> You are using HTTP-Digest authentication which is not what you have
>> configured for your CredentialHandler.
>>
>> There is some confusing naming, here. Java has a class called
>> MessageDigest which takes bytes and produces signatures. In the
>> industry, it's sometimes now called "digesting" which is IMO confusing
>> and wrong. It would be better to call it "hashing" because it doesn't
>> conflict with other uses of that word.
>>
>> HTTP-Digest is an authentication system which does some hand-wavy
>> magic[1] to hide your password from going over the network if you are
>> using unencrypted channels. This was great back in 1995 but it's a bad
>> system IMO because the server needs to have your cleartext password in
>> order to perform authentication. There are ways to store "not the
>> cleartext" on the server-side, but they are even more awkward.
>>
>> I would recommend:
>>
>> 1. Use TLS for security
>> 2. Use HTTP Basic authentication for simplicity
>> 3. Don't use MD5 :)
>>
>> You can't securely use #2 without #1.
>>
>> To change from HTTP-Digest to HTTP-Basic, just change your web.xml:
>>
>> <login-config>
>>       <auth-method>BASIC</auth-method>
>>       <realm-name>file</realm-name>
>> </login-config>
>>
>> You are still using "digested"/"hashed" passwords on the server-side, so
>> don't worry about that.
>>
>> Might I suggest that you consider using a better hashing algorithm than
>> MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or
>> bcrypt?
>>
>> I'd recommend reading this:
>> https://tomcat.apache.org/presentations.html#latest-credential-security
>>
>> Hope that helps,
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]