How to deal with LogJam Vulnerability?
Hi All, I am using Tomcat version 7.00.062 supported on JRE 8u45. How do i disable the LogJam Vulnerability? I have added a line in the java.security file of the JRE. jdk.tls.disabledAlgorithms=DH Is this good enough? Or do we need to add DiffieHelmann also? jdk.tls.disabledAlgorithms=DH, DiffieHellman Which one solves the issue of LogJam? Kindly help. Regards, Nikitha
Re: [ANN] Apache Tomcat Connectors 1.2.41 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jessica, On 8/24/15 11:40 AM, Alten, Jessica-Aileen wrote: >> The official position of the ASF is that we provide code, not >> binaries. > > Sorry, I can't follow this argument - there are lots of binaries > in the download area, even for Tomcat and the Httpd flagship. Note that the "binary" downloads for Tomcat are largely compiled Java code and not native code. We do package-up the tcnative library, it's true. See the archives on the dev list for the recent gnashing of teeth surrounding that issue. >> We'd love to provide Windows binaries for mod_jk, but they are a >> real pain in the neck to actually build: they require very >> specific build environment, and the library must be built in such >> a way that it's compatible with the web server in which it's >> running (e.g. httpd 1.3/2.2/2.4 or IIS 5/6/7/8/9, proper >> architecture (32/63) and chipset (x86/x86-64/itanium/alpha). It's >> gotten to the point where it's tough to provide all of those >> combinations with any regularity. > > I understand that it is difficult - perhaps too difficult for the > developers of this module, but the average Windows admin or Java > programmer should do this? ;) > > There were binaries of this module at least for the last 10 years! In this particular case, we were forced to issue a hasty release (and I would agree it wasn't hasty enough) due to the premature disclosure of a security problem with the previous version. The core Tomcat team is very small, and the *one* guy who usually does these builds has been MIA for a while. We don't have an army of developers ready to build a release binary at a moment's notice. We are all volunteers, here. > I'm very disappointed on this attitude. You are closing out the > whole Windows/IIS world. It will get built. The question is when. >> Unfortunately, I don't believe they provide builds for the ISAPI >> redirector for IIS. If that's what you need... umm... > > Umm - yes - this is what I need. Okay. Do you have a compiler handy? ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV21n1AAoJEBzwKT+lPKRYabAQAKCKvJgUscsHJvyj33t2CQJM cVX004l27Lq7yAH+xY2Tr05zZ5JOZ6JrLI5hnjPSBTzIvOjL4Dc5O4/7Ebd8VzUx ESJSPCnIB/JLipfDjYakmB/hLaC5t8Y+IyuW21n+Sy/9/9rp23QtECi+zewEk7RR TAeEcylLBpH5SATizV3Zkc0uhmDEEUJVo/TQG7WxMxMnjmPV0XuR40+z8OxBCP70 8GuFXQysONeQRTSB1ZFLZJD1WqNB3Om87OxuMFXs8fE/hkqqCoZkefhKHlcx2Gb1 O+FEjwQEHBDaB202my3X3/NU7RH0FRujGjgo8Ati+kQMeCmC7R540fLYqgrN235/ AN2IPaBqh6QH+z4M7hIJ6FdG8UonPe2Q8LAiFw1eB8f44iVpdjaI8eY4USmKgP0O zuXDy4OEAwzpTwXtSgG2TXY6/bOAR706swrMlsgEfhTd/CL2S3eJ8/yQRkCUizyT LFJ8SGGIHj/DpAmFaWg9WiWzi5lo/Fje2G4fYtrhIQuBpHIq1mHoW/WgG4qOur89 OQODwRY4YDb4at1C3n7sCHg1kTfU4jwvtXHnS67WB7TXfd6TloALnzx4iVZc5/gC 13jTrx343xD2WxQJLFqZs/cJi5qWx5HmcWRjCUXiuYnP0JwdkqR3lkKH/d2wEbO8 aAVnJ9WBZ9mCkr8jSZSk =cYpr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Addding User to a Realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/24/15 1:19 PM, Sreyan Chakravarty wrote: > No you don't understand what my question was. Say I do something > like this-: > > String password = request.getParameter("passwd"); > > long salt = // get salt from SecureRandom > > String password = salt + password; > > String hash = encrypt(password) // Use some encryption like bCrypt > > storeInDb(hash); // Stores it in User Table along with user-id and > role > > Now when I am querying from the database using a DataSourceRealm > for example. How do I replicate the exact hashing procedure. You are circling the right answer: you use a CredentialHandler for this. You may have to write your own if the built-in ones don't support your hashing strategy. > I can obviously store the salt value in another column but how can > I tell the Realm or CredentialHandler to use the salt and then hash > the password there is obviously no salt attribute in the > CredentialHandler. There is a salt *length* attribute, but that's how many random bits to use when creating a new stored-credential. The CredentialHandler docs[1] have examples of how to store the password in the database. If you are using digest + salt + iterations, then you want to store the password in the db table like this: salt$iterationCount$encodedCredential Those are literal $ symbols between the 3 different components of the stored credential. The salt and encodedCredential should be in hex-encoding (e.g. "abc" = "979899"). The iteration count should be a simple integer like "1000". (I highly recommend using a very large number of iterations... something that takes ~2s on a modern machine ought to be appropriate). > So in other words how do I replicate the exact same hashing > procedure while retrieving the password to that I used when I was > storing the password in the database. > > Is there a way to use the Realm to insert the user-id and password > into the database ? No, but you can feel free to instantiate the same kind of CredentialHandler with the same settings and then use the mutate() function to see what the CredentialHandler will produce from a given input. > Because that seems like the most straight forward approach. I don't > know why there isn't an API for doing just that in Tomcat. CredentialHandler.mutate will mutate the credentials. It's up to you to store them wherever makes the most sense. > What good is having saltlength in CredentialHandler if its not > going to use it to create a password. See above. > Salts have to be specified differently and Tomcat just cannot > assume the first 20 characters (specified in the saltlength > property) to be the salt. See above. > So how can I store the credentials in the database and get them > back using the same hashing procedure ? > > And why hasn't the documentation included sufficient number of > examples of this process. Because it's been written by people who knew what the process was and didn't know the right questions to answer. > No one seems to know anything about it. Really? Who have you asked? I know a fair bit about it, and I'm trying to answer your questions. I'm happy to help; don't be so grouchy about asking questions, especially if someone is willing to reply and help you out. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV21u6AAoJEBzwKT+lPKRYH9QP/0CykG/8FCXdTuATjeam05oa 5ru2NO1Z44bwp932GvlPuNcySEeB+1CkYEzqtiBk/vPPalFrYAKq2SRqtba7nHnl RB0z1lM43OoGGuHkCyXs87xdZjD2BDCG+9pNMnZqymkzbQUsVV96UFOO1d3vHQK4 ZC6qsXBtVBjMfKO1+bOiZ+zrUKavMShtxve798OO7M+tvbqVAG7jvFI+BL0yQqXk SgcxdOY30NU3jcl7GZh/JkrvcKgULNRUgMPSmDNedMI38zK4hEhTBo2xuf6yRVos COizoJ9zduRVfnMZKhG9TRBvmuJFFkQuaUNIr1Yrt/HKicA3y86ZaiJZzmt8FS4h YV/uLfZkPt2w3Ip2CoPozYE5Vp+si4N6TPTCcfKmYlCBh2Qc3jl1FbXAdw7zkfz1 b/abID3ISAMrXEbcuFakLI+eYi/+km8JRNk3wLBX5xmg4ZF8CPIgNGBK8w39Gmaz x5gW3iv6p/h6iT0lE8cri4Lm4kTeQv9F/t04Z2TvN7HeQf7OBQEh8B7ZsVGurbKG vO4NlSU1inTMs94P4Y4WVDDcFOZIFC0ny6dseFBmeWBVpBRPKnMdjVPzBjBh6Wsr 1Q1U880EXFLrg+bAC69+qqV2GgvlKqvItFB9P2VZ1PXSEnVGTGFFK65Yh1KDtAgG dRGp4gxRJzlmRshreCqn =zsRW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Connectors 1.2.41 released
On 24/08/2015 16:40, Alten, Jessica-Aileen wrote: >> The official position of the ASF is that we provide code, not >> binaries. > > Sorry, I can't follow this argument - there are lots of binaries in the > download area, even for Tomcat and the Httpd flagship. ASF policy is that we MUST release in source code form. Many projects provide convenience binaries but they are just that, convenience binaries. >> We'd love to provide Windows binaries for mod_jk, but they are a real >> pain in the neck to actually build: they require very specific build >> environment, and the library must be built in such a way that it's >> compatible with the web server in which it's running (e.g. httpd >> 1.3/2.2/2.4 or IIS 5/6/7/8/9, proper architecture (32/63) and chipset >> (x86/x86-64/itanium/alpha). It's gotten to the point where it's tough >> to provide all of those combinations with any regularity. > > I understand that it is difficult - perhaps too difficult for the developers > of this module, but the average Windows admin or Java programmer should do > this? ;) > There were binaries of this module at least for the last 10 years! > I'm very disappointed on this attitude. You are closing out the whole > Windows/IIS world. Yes, we (the Tomcat community) has a problem here. We needed a jk release to address a security issue that had been made public before we were ready. The developers that normally work on jk have been quiet lately so one of the other Tomcat developers stepped up to do the release. The source code side of things is relatively simple but the binaries are not and the document build process is not sufficient to generate a binary release. To give you an idea, this is the documented build process for the tc-native DLL: http://tomcat.apache.org/native-doc/#Building/Windows This is what is actually required to generate a release: http://wiki.apache.org/tomcat/BuildTcNativeWin This is the documented build process for ISAPI: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/iis/README?view=annotate We don't have the equivalent 'How to build a release' documentation. It is not at all clear how release builds (which options have been used, what have they been compiled with / against?) have been built in the past so it is next to impossible to reproduce a similar build. >> Unfortunately, I don't believe they provide builds for the ISAPI >> redirector for IIS. If that's what you need... umm... > > Umm - yes - this is what I need. There are a couple of options: Hope the jk committers provide enough information to document the release process so anyone can run it. Figure out how to build something that works for you and share that with the Tomcat community so anyone can build it. Then one of the active Tomcat committers will be able to include the binary in the next release (and provide an official binary for this release). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Addding User to a Realm
No you don't understand what my question was. Say I do something like this-: String password = request.getParameter("passwd"); long salt = // get salt from SecureRandom String password = salt + password; String hash = encrypt(password) // Use some encryption like bCrypt storeInDb(hash); // Stores it in User Table along with user-id and role Now when I am querying from the database using a DataSourceRealm for example. How do I replicate the exact hashing procedure. I can obviously store the salt value in another column but how can I tell the Realm or CredentialHandler to use the salt and then hash the password there is obviously no salt attribute in the CredentialHandler. So in other words how do I replicate the exact same hashing procedure while retrieving the password to that I used when I was storing the password in the database. Is there a way to use the Realm to insert the user-id and password into the database ? Because that seems like the most straight forward approach. I don't know why there isn't an API for doing just that in Tomcat. What good is having saltlength in CredentialHandler if its not going to use it to create a password. Salts have to be specified differently and Tomcat just cannot assume the first 20 characters (specified in the saltlength property) to be the salt. So how can I store the credentials in the database and get them back using the same hashing procedure ? And why hasn't the documentation included sufficient number of examples of this process. No one seems to know anything about it. I am totally in the dark here. Regards Sreyan Chakravarty On Mon, Aug 24, 2015 at 7:41 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sreyan, > > On 8/24/15 9:24 AM, Sreyan Chakravarty wrote: > > Okay I know how to authenticate an existing user in a Realm. But > > how the hell do you add a new user to the Realm ? > > That depends upon where your users are stored. > > > For example if a new member registers on the site, how would I add > > that to the Realm ? > > Put that new user into the place where your users are stored? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV2yYtAAoJEBzwKT+lPKRYaP4P/RZJkeaT/tb4oKzwLYU31WA4 > nKXof+nd/s16Azvvtj2/iIYrU4nzAKvHCYcn+O1wEAFvxlaw9FzY6Mv9CTW8LPH1 > wP+U/pRx8GTy9TZjs6JuRcZ/OmJKz+MC5Ml/NFck5AQ0g+tr4D3py3t0jyVARPFa > YbRkNaObZhG4i1eHSyUCA6NTCAN5jBvGBQcElfw+SZzqgrm+VXFHso1wGhHWzS1k > noUPaKkuM5Gdy5OpJd8AXByS5gNPuyoAIQoeYL3frsdlJOdB3qVXm6JKePdqSrjD > 46HHhwpu5sGYTosWOqkspjsvhFOfTadg9IJlpNEs8atwhHC5GnTV0TM0IXIYZWGJ > +v+QHOZkvmEiNo13wFlwQB7VP3zxHblSfcWuMQIMDVtxgfWDFHI24xxMsNdOT5Jz > KAyFiFZFk+jOBvwaYrVaq8E8xY17yR5ib9vN5ANz7RCOROIfgkyBnRnLc1uyLTUR > q0VAHnfEhWJdSgstSElDSydduSZXbPW2A3ibm0FSHHUb0g4D/9EAEG8Mncoj4Ps1 > ZTX4Tk60NrF1dyvc1lATrof0yJMD+eHdffOhSxdyxlxhilnGbo8WG72BSDvBJG56 > LhnwDNf963C8x54jHdbnkqQyWZ+8TXEF5On+5BUkb3jTLSpHtMAjFuq7H+CUb+EB > h31ejBRq7m0XmpxKcEkL > =PzsB > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: [ANN] Apache Tomcat Connectors 1.2.41 released
> The official position of the ASF is that we provide code, not > binaries. Sorry, I can't follow this argument - there are lots of binaries in the download area, even for Tomcat and the Httpd flagship. > We'd love to provide Windows binaries for mod_jk, but they are a real > pain in the neck to actually build: they require very specific build > environment, and the library must be built in such a way that it's > compatible with the web server in which it's running (e.g. httpd > 1.3/2.2/2.4 or IIS 5/6/7/8/9, proper architecture (32/63) and chipset > (x86/x86-64/itanium/alpha). It's gotten to the point where it's tough > to provide all of those combinations with any regularity. I understand that it is difficult - perhaps too difficult for the developers of this module, but the average Windows admin or Java programmer should do this? ;) There were binaries of this module at least for the last 10 years! I'm very disappointed on this attitude. You are closing out the whole Windows/IIS world. > Unfortunately, I don't believe they provide builds for the ISAPI > redirector for IIS. If that's what you need... umm... Umm - yes - this is what I need. Greetings, Jessica
Re: Addding User to a Realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/24/15 9:24 AM, Sreyan Chakravarty wrote: > Okay I know how to authenticate an existing user in a Realm. But > how the hell do you add a new user to the Realm ? That depends upon where your users are stored. > For example if a new member registers on the site, how would I add > that to the Realm ? Put that new user into the place where your users are stored? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV2yYtAAoJEBzwKT+lPKRYaP4P/RZJkeaT/tb4oKzwLYU31WA4 nKXof+nd/s16Azvvtj2/iIYrU4nzAKvHCYcn+O1wEAFvxlaw9FzY6Mv9CTW8LPH1 wP+U/pRx8GTy9TZjs6JuRcZ/OmJKz+MC5Ml/NFck5AQ0g+tr4D3py3t0jyVARPFa YbRkNaObZhG4i1eHSyUCA6NTCAN5jBvGBQcElfw+SZzqgrm+VXFHso1wGhHWzS1k noUPaKkuM5Gdy5OpJd8AXByS5gNPuyoAIQoeYL3frsdlJOdB3qVXm6JKePdqSrjD 46HHhwpu5sGYTosWOqkspjsvhFOfTadg9IJlpNEs8atwhHC5GnTV0TM0IXIYZWGJ +v+QHOZkvmEiNo13wFlwQB7VP3zxHblSfcWuMQIMDVtxgfWDFHI24xxMsNdOT5Jz KAyFiFZFk+jOBvwaYrVaq8E8xY17yR5ib9vN5ANz7RCOROIfgkyBnRnLc1uyLTUR q0VAHnfEhWJdSgstSElDSydduSZXbPW2A3ibm0FSHHUb0g4D/9EAEG8Mncoj4Ps1 ZTX4Tk60NrF1dyvc1lATrof0yJMD+eHdffOhSxdyxlxhilnGbo8WG72BSDvBJG56 LhnwDNf963C8x54jHdbnkqQyWZ+8TXEF5On+5BUkb3jTLSpHtMAjFuq7H+CUb+EB h31ejBRq7m0XmpxKcEkL =PzsB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Connectors 1.2.41 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jessica, On 8/24/15 4:25 AM, Alten, Jessica-Aileen wrote: >> The Apache Tomcat Project is proud to announce the release of >> version 1.2.41 of the Apache Tomcat Connectors. This version >> fixes one security issue (CVE-2014-8111) and a number of bugs >> found in previous releases. >> >> [...] >> >> Downloads: http://tomcat.apache.org/download-connectors.cgi > > Is there a binary release for Windows scheduled? The official position of the ASF is that we provide code, not binaries. That said, providing binaries for Windows users is a really nice thing to do because most Windows users don't have compilers handy, and the range of environments can be ... difficult. We'd love to provide Windows binaries for mod_jk, but they are a real pain in the neck to actually build: they require very specific build environment, and the library must be built in such a way that it's compatible with the web server in which it's running (e.g. httpd 1.3/2.2/2.4 or IIS 5/6/7/8/9, proper architecture (32/63) and chipset (x86/x86-64/itanium/alpha). It's gotten to the point where it's tough to provide all of those combinations with any regularity. We are trying to work on software, not spend our (volunteer) time wrestling with build processes. Our friends over at the Apache Lounge [1], while not being directly or officially affiliated with the ASF in any way, have been building httpd and various modules for it (including mod_jk) for a while, now. I see that they don't yet have a build for mod_jk 1.2.41, but I'm sure if you asked nicely, they'd tell you what their schedule is. Unfortunately, I don't believe they provide builds for the ISAPI redirector for IIS. If that's what you need... umm... wait to see if anyone volunteers to make a build for you? (Remember that you must trust the source of the build: don't just accept a binary from some random person on the web and install it into your production web servers. You never know what you're going to get!) - -chris [1] http://www.apachelounge.com/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV2yXxAAoJEBzwKT+lPKRYJ1wQAJWMbDxPDfGKGOtIrOaBDhkK XHa46i+JfRI+Gpc7pKMmHNC6OmWvBHGRtTdq7wdWkiLzgJKvHi1Ufl1O3WsD6MZP dCf68tjxnnY6GvGQ/WPxP7I3WetshOrrW1b0TxFtfjrcM5OjjQ6jCQ278sKsGXmh g2A10dyqjpUTfACy4atnFW2axJhIUt30ypmogoRFQnY+RID4fgJALzW2oscUC7Px Vv+yG0jzTpvbSBZ6bd5aozlMgA9c6IEXmcYyDQerUF9+7KJ63LJwJZxPSC8Pvrlo EH1YCMIiUn3n91pLE8WiC1Rc1vhMi5w8ilQ1aFMe5o1NIYZ7N/Fdh17AvRnWUFNW YFf2/uvRPppsevd9P4PyQuRsGbdUccl0jyKO+d/CYhRDTec9554LlpYsvaRKrhVp eYLoQBZmvOYxG3phgKPkL55Yz6BfKRJIUEST1D4b/FrieamO82xQBJomJl7/twzT qBRKfGp2zICBTLKLXeiPOXTJX6huCTG/JNG3PE0ekC8bx5GReyDmjhwd8eyX+N+q lirfbuG2aqwzF/eEYFSccG5LTx38rh8MMgpywPEQMBzwakQ4sXyqfxFfM9lTCiTM QB0MuvcDS0xo3y4PGX89hpr80O/VWqHWA9XqPFVC31n5kZCFYYBWKmaL5WuRP8/o wgg5qruemEg9xoKwzZKG =aFlO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do LockOutRealms work ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/23/15 2:54 PM, Sreyan Chakravarty wrote: > I am confused with the functioning of LockOutRealms in Tomcat. > > My questions are as follows-: > > > 1. Say user at IP 10.10.10.1 has reached the maximum number of > invalid login attempts and is locked out. Now say a user from > 10.10.10.2 attempts to login, will Tomcat stop him too since he is > trying to login for the first time ? If not then how does Tomcat > keep track of users that are locked out ? Via there IP's ? If you look at the code [1], you'll see that users are identified by username (or "identifier) and no other factors. So, if you get locked-out from 10.10.10.1, you will also be locked-out from 10.10.10.2. However, the lock-out information is not shared amongst cluster members, so the LockOutRealm really only protects a single member of a cluster. If you need "proper" user-locking, you'll want to mark the user as locked-out in a database or something. You could do that by extending LockOutRealm and taking some other action (such as marking a user as locked in a db) after the registerAuthFailure method completes. > 2. When a user is locked out what message is displayed ? Can I > display a custom HTML page when a user has been locked out ? In > other words how much control do I have over the lock out process > and what error messages are shown ? It depends upon the type of authenticator you are using. If you use the BasicAuthenticator or DigestAuthenticator, you'll get a 401 response, and you can customize what page gets returned with a 401. If you use a FormAuthenticator, you can customize the form-error-page. If you are using an x509Authenticator, you cannot customize anything since the failure occurs at the SSL handshake level. In any case, there does not appear to be a way to tell that the user failed due to too-many-authentication-failures. You could request such as feature, but I would personally think nobody would want to implement it... you don't want to leak-out any information about the authentication process if you don't have to. Failed login = failed login, without further clarification. For a truly secure system, the LockOutRealm should also probably waste some time when a locked-out user is found, to simulate the amount of time it takes to properly-authenticate the user and then fail. Hope that helps, - -chris [1] http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm /LockOutRealm.java?view=markup -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV2yPWAAoJEBzwKT+lPKRYRM0QAKnl/8bDktDWdDMlWYJZejwu UAVl1lgDFN0rm+osfRegAPaBx0ERHZnZiUUWYtEEOAB6XzhgQMfendBpRyzkT7Af 3TGxPwZwsAbe4sSVrZvi25K3o7CThxn1CymMQPaR0v0uXq2CH+NdKwOcPLsMtyK/ aofhbNP7Bde3gey6YlzN4PME0Ho+0dxXgI3bGSqtiSp3xWroGRJxsNhKGhvV2Ntj gN6O22rlzHvvt21oXxBOkHIHKBdjlsT6TLOt7Lp2alWxAd4e1pcM+KTzVQA35jan QkD/vQ8aPUGGc53Vsygnk4nItzMFJJQWUtarCZpjxzKaSBKNMB2ON0C+Occyog+S jt8uASbne9gN0oknP5tF5OU+nrhsXW3KcIlOC6uVgGqGvcGUrjEN78Y1ZVgycpyb TnZdeGnFYrUFHgC7vadzE1KSbd8hJvJojUX3EgUSj0+liM+HvoIqCXPbL1E7oTra qsmZPA8/VfCXQpgIfNBjlv94XpzMPcYxGsoBdG5QQiAeIsEgaX0Uv4zM8mowPbdH XDbEWTsTSvEkYv5PRU6C/251zvoxZ5vhMFXeIX6zN075KmflhM5AQ/LUd6qCg0mz r/memt0VqAauRx/i5l04dmLF6FubraBtP8J5sluHkXywmepGGA6MDzJc9HmTTXH5 N5u8FupQhbCp3x/lSt4w =8IkU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help with using CredentialHandler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/23/15 2:36 PM, Sreyan Chakravarty wrote: > I need to use Container Managed Security and Authentication in my > latest project. And I have a couple of queries regarding how to > configure a Credential Handler. What are your requirements? You may not have to manually-configure a CredentiaHandler. > 1. Firstly how will a CredentialHandler declaration look like ? > Can someone provide a sample declaration of the > NestedCredentialHandler with the algorithm attribute declared. I > need to know since the Digest attribute in Realms has become > deprecated. I didn't find any examples on the web and I am utterly > confused. Reviewing the documentation, I can see how it might be confusing. Here's a simple configuration. You only need "NestedCredentialHandler" if you want to be able to support more than one kind of stored-credential. You only really need to do this when you are trying to switch from one type of stored-credential to another, and need to be able to support either style for a period of time. (e.g. switching from plain-old MD5 to salted, iterated SHA-256, or from hash-based credential-format into something like PBKDF.) > 2. Whats the difference between MessageDigestCredentialHandler and > SecretKeyCredentialHandler which one is more secure ? As the documentation says, MessageDigest uses MessageDigest to hash passwords. It can also perform iterations and salting of the password as it's hashed. SecretKey uses the the SecretKeyFactory class and therefore supports the types of algorithms supported, there. Which one is more secure is a matter of opinion (at least, IMO). Algorithms such as PBKDF2 are not really much more than salt+hash+iteration, so you can achieve the same effect with the MessageDigestCredentialHandler if you tune the parameters correctly. You may be in an environment where saying that you specifically use PBKDF2 (rather than some "home brewed" salt+hash+iteration) may be more advantageous. Also, that kind of algorithm (PBKDF2) is formally-specified. > 3. SecretKeyCredentialHandler specifies only one algorithm in the > documentation which is PBKDF2WithHmacSHA1. What other algorithms > are available ? Have a look at your JVM to find out what is currently supported. Call java.security.Provider.keySet() on your crypto provider(s) to find out their properties. You're looking for something like this: SecretKeyFactory.DES=com.sun.crypto.provider.DESKeyFactory SecretKeyFactory.DESede=com.sun.crypto.provider.DESedeKeyFactory SecretKeyFactory.PBEWithHmacSHA1AndAES_128=com.sun.crypto.provider.PBEKe yFactory$PBEWithHmacSHA1AndAES_128 SecretKeyFactory.PBEWithHmacSHA1AndAES_256=com.sun.crypto.provider.PBEKe yFactory$PBEWithHmacSHA1AndAES_256 SecretKeyFactory.PBEWithHmacSHA224AndAES_128=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA224AndAES_128 SecretKeyFactory.PBEWithHmacSHA224AndAES_256=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA224AndAES_256 SecretKeyFactory.PBEWithHmacSHA256AndAES_128=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA256AndAES_128 SecretKeyFactory.PBEWithHmacSHA256AndAES_256=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA256AndAES_256 SecretKeyFactory.PBEWithHmacSHA384AndAES_128=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA384AndAES_128 SecretKeyFactory.PBEWithHmacSHA384AndAES_256=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA384AndAES_256 SecretKeyFactory.PBEWithHmacSHA512AndAES_128=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA512AndAES_128 SecretKeyFactory.PBEWithHmacSHA512AndAES_256=com.sun.crypto.provider.PBE KeyFactory$PBEWithHmacSHA512AndAES_256 SecretKeyFactory.PBEWithMD5AndDES=com.sun.crypto.provider.PBEKeyFactory$ PBEWithMD5AndDES SecretKeyFactory.PBEWithMD5AndTripleDES=com.sun.crypto.provider.PBEKeyFa ctory$PBEWithMD5AndTripleDES SecretKeyFactory.PBEWithSHA1AndDESede=com.sun.crypto.provider.PBEKeyFact ory$PBEWithSHA1AndDESede SecretKeyFactory.PBEWithSHA1AndRC2_128=com.sun.crypto.provider.PBEKeyFac tory$PBEWithSHA1AndRC2_128 SecretKeyFactory.PBEWithSHA1AndRC2_40=com.sun.crypto.provider.PBEKeyFact ory$PBEWithSHA1AndRC2_40 SecretKeyFactory.PBEWithSHA1AndRC4_128=com.sun.crypto.provider.PBEKeyFac tory$PBEWithSHA1AndRC4_128 SecretKeyFactory.PBEWithSHA1AndRC4_40=com.sun.crypto.provider.PBEKeyFact ory$PBEWithSHA1AndRC4_40 SecretKeyFactory.PBKDF2WithHmacSHA1=com.sun.crypto.provider.PBKDF2Core$H macSHA1 SecretKeyFactory.PBKDF2WithHmacSHA224=com.sun.crypto.provider.PBKDF2Core $HmacSHA224 SecretKeyFactory.PBKDF2WithHmacSHA256=com.sun.crypto.provider.PBKDF2Core $HmacSHA256 SecretKeyFactory.PBKDF2WithHmacSHA384=com.sun.crypto.provider.PBKDF2Core $HmacSHA384 SecretKeyFactory.PBKDF2WithHmacSHA512=com.sun.crypto.provider.PBKDF2Core $HmacSHA512 That's for my Oracle 1.8-level JVM. So it looks like it supports the following algorithms: DES, PBEWithHmacSHA1AndAES_128 (and friends), PBEWithMD5AndDES (and friends), PBKDF2WithHmacSHA1 (and friends). I tested on a 1.6
Addding User to a Realm
Okay I know how to authenticate an existing user in a Realm. But how the hell do you add a new user to the Realm ? For example if a new member registers on the site, how would I add that to the Realm ?
RE: [ANN] Apache Tomcat Connectors 1.2.41 released
> The Apache Tomcat Project is proud to announce the release of version > 1.2.41 of the Apache Tomcat Connectors. > This version fixes one security issue (CVE-2014-8111) and a number of > bugs found in previous releases. > > [...] > > Downloads: > http://tomcat.apache.org/download-connectors.cgi Is there a binary release for Windows scheduled? Greetings, Jessica - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org