[Bug 60446] New: SecretKeyCredentialHandler ignores key length when matching

Tue, 06 Dec 2016 04:28:10 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=60446

            Bug ID: 60446
           Summary: SecretKeyCredentialHandler ignores key length when
                    matching
           Product: Tomcat 9
           Version: 9.0.0.M13
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: -----

Created attachment 34502
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34502&action=edit
Patch

SecretKeyCredentialHandler does not take into account the key length of the
stored credentials when matching against provided credentials, which results in
a failed authentication unless the key lenght is statically defined in XML to
be the same as the stored credentials. A patch that is tested with the 9.0, 8.5
and 8.0 trunks is provided with this bug report. The patch includes updated
unit tests.

*** Steps to Reproduce ***

1) In conf/server.xml put

<CredentialHandler
  className="org.apache.catalina.realm.SecretKeyCredentialHandler"
  algorithm="PBKDF2WithHmacSHA512" />

inside the UserDatabaseRealm element.

2) generate a password digest with

bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 10000 -s 8 -k 128 -h
"org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

and put inside the password attribute in conf/tomcat-users.xml for an
appropiate user.

3) Launch tomcat (bin/startup.sh) and go to http://localhost:8080/manager/html

4) Provide the username of the user and the password YOUR_PASSWORD


*** Actual Results ***

- The user is unable to authenticate and get a 401 error


*** Expected Results ***

- The user authenticates and gain access to the management app


*** Additional Builds and Platforms ***

The bug affects all builds since the introduction of SecretKeyCredentialHandler


*** Additional Information ***
Putting

<CredentialHandler
  className="org.apache.catalina.realm.SecretKeyCredentialHandler"
  algorithm="PBKDF2WithHmacSHA512"
  keyLength="128" />

inside conf/server.xml instead would enable the user to authenticate again, but
then all users must use the same key lenght.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to