Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 7:10 PM, rop wrote: Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Depending upon how you are storing the salt, you may be able to use Tomcat out of the box, now, because Tomcat can now do salted passwords (it was way overdue). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. You will be better-off moving away from Realm and towards CredentialHandler instead. Consider beginning to evaluate that for the future. - -chris On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz ch...@christopherschultz.net wrote: Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAvnDAAoJEBzwKT+lPKRYswIQAK+OITerGZSKo0NWWtpDGZZk yFbT2fwf4HfqveG0pP24pcF+1EJAkKJlPt+D/eonRw4REdVBjWlj5KOBVNSJSEcw JS+2tcOYNdJFx/EYL1EvTOCB4mKuzwpyfegikfP6pj/hy1rBXGOzVVNpHPIoUQ5Q ugkWqBckBZa/jVDwsvWbZUJPTuwYFs4HqdEfH4Y9NRvzBNz3a/cIjnRB75jAl+AY 0Wdcfe1YifFssVQv/jX8b+kUhVcrYQzS1EKzyJzuPcPYwF8X7sCLDB8QMkrB6Gkg FMHZA48ytQSrGJyq+rZ62C97Y/nXsQ4EKsK4+cLwcinjfEJ5MhSvZGY7I8Vm+cQk Xpika0vRNV8NtX+vqpdTS7lg/QeqZkUFn2KrDtpNyyS2e9lsbJ3laCcmDgg345VS DY7icmTsuNbc9gcWMJzcf5AuSmf/U2GhhTgIza9mO9SkT/uckxOYX8q6bu1WT/8L wSJeGPRI/VqIEik83X3dFWP6BcCguidjOB4J1uAowl1T1fKhrmVlsZ3LP9m9MWbO 0E4P7bRKIX3JlZvyqI2U2UFheFefj0vK/PCIUAttNDzuXENPvxigEiVrvYf5Qx37 JfVrW5cxHMGyUQ3YIVlZmRiwWT4hnZzbTLHxvs6/1mtu7Zr8267RcissgoEv5E7X 3X/MceB38qv4a3npJchq =HqR1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
On 3/12/2015 10:16 AM, rop wrote: Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm That is his option (a) in his list. Did you check that? And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login On Thu, Mar 12, 2015 at 3:37 PM, David kerber dcker...@verizon.net wrote: On 3/12/2015 10:16 AM, rop wrote: Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto. html#DataSourceRealm That is his option (a) in his list. Did you check that? And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Finally, found the issue. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov xkQ8CoV6X9Oq0TlV3PXi =Y/0T -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. /Rop On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov xkQ8CoV6X9Oq0TlV3PXi =Y/0T -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org