https://bz.apache.org/bugzilla/show_bug.cgi?id=69852
Bug ID: 69852
Summary: {MD5}, {SHA} and {SSHA} not honored with
Realm/CredentialHandler
Product: Tomcat 11
Version: 11.0.13
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Util
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -------
According to
https://tomcat.apache.org/tomcat-11.0-doc/config/credentialhandler.html#MessageDigestCredentialHandler
I can declare a digest algorithm to use for tomcat-users.xml like this:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-384" />
</Realm>
</Realm>
Also I can use various formats for the passwords and these two should use the
configured algorithm:
- encodedCredential - a hex encoded digest of the password digested using the
configured digest
- salt$iterationCount$encodedCredential - a hex encoded salt, iteration code
and a hex encoded credential, each separated by $
However there are 3 formats where `algorithm="SHA-384"` should be overriden:
- {MD5}encodedCredential - a Base64 encoded MD5 digest of the password
- {SHA}encodedCredential - a Base64 encoded SHA1 digest of the password
- {SSHA}encodedCredential - 20 character salt followed by the salted SHA1
digest Base64 encoded
`org.apache.catalina.realm.MessageDigestCredentialHandler#matches()` doesn't
use MD5/SHA1/SHA1 respectively for {MD5}/{SHA}/{SSHA} prefixed passwords.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
