Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. /Rop
On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Rop, > > On 3/12/15 3:33 PM, rop wrote: > > Finally, found the issue. > > Please bottom-post if you can. Also, please sign your posts. > > > On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> > > wrote: > > > >> On 12/03/2015 15:51, rop wrote: > >>> Ah, I got it now. Thanks, David. > >>> > >>> Yes, the a-b-c-d points are OK then. > >>> > >>> As a trouble-shoot action, I actually did an install-and-test > >>> "binary search" among the intermediate tomcat-versions to > >>> pinpoint exactly which version breaks our app. > >>> > >>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 > >>> do not exist in the tomcat archive) And from 7.0.50 it breaks. > >>> > >>> So apparently, between 47 and 50 some change occurred that > >>> breaks our login.... > >> > >> Nothing jumps out at me in the change log. I'd add that FORM auth > >> is tested as part of every release so it isn't a general > >> problem. > >> > >> In your shoes, I'd be firing up Eclipse and remote debugging my > >> way through the authentication process. Alternatively, try > >> creating the smallest/simplest possible WAR that exhibits the > >> problem. > > > > The crucial change was in the method > > RealmBase.compareCredentials(), which is new in 7.0.50 (the > > comparison was much simpler before that). > > It is much more extensible, now. > > > Dunno if we do something unusual here, but we just extend > > DataSourceRealm, like MyDataSourceRealm, and implement the > > message-digest for password-hashing in there, by simply overriding > > the digest() method. > > Do you need to extend the whole realm, or did you just want to > override Tomcat's default password-hashing algorithm? > > If you just want to tweak the hashing algorithm, you can write a > simpler class and not subclass DataSourceRealm. What does your Realm > do besides change the password-comparison algorithm? > > > Before 7.0.50, this worked fine *without* explicitly setting the > > DataSourceRealm.setDigest() property. It's always been null, and > > still worked. > > This was because it defaulted to "MD5" and Tomcat always used > simplistic credential-hashing. It's much more sophisticated, now, and > also supports things like Bcrypt, Scrypt, PBKDF2, etc. > > > But the new method RealmBase.compareCredentials() assumes: if you > > use messageDigest, this property MUST be set. ( > > compareCredentials() calls hasMessageDigest() which did not happen > > in earlier versions. ) > > > > So the solution was to simply add the property digest in <Realm > > digest="..." ...> which we didnt have there before. Then it works. > > Great. But I think you can do better. If your Realm merely changes the > way hashing is done, please check-out the new features. You may be > able to a) eliminate your class altogether due to new features or b) > replace your Realm with a CredentialHandler that only does the > mutation and comparison of credentials. > > We did this so you can use the same credential-mutations on *any* > realm, without having to subclass every Realm to do it. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR > CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx > 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr > H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ > KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok > y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 > 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P > hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ > FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ > cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY > TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov > xkQ8CoV6X9Oq0TlV3PXi > =Y/0T > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
