-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yuval,
On 5/21/15 2:39 PM, Yuval Schwartz wrote: > Hello, > > I have some follow-up questions to Chris' response below (in > blue). > > On Wed, May 20, 2015 at 5:53 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Yuval, > > On 5/20/15 9:34 AM, Yuval Schwartz wrote: >>>> I believe I am running tomcat 8.0 (although when I call the >>>> getServerInfo() method of the implicit ServletContext Object >>>> It tells me that I am running on 7.54) > > Then you are not running Tomcat 8.0.x. > >>>> I configured my realm element in my context.xml file as >>>> follows (based on the howto guide: >>>> https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html): > > If you are running Tomcat 7, the Tomcat 8 users guide may give you > bad guidance. If you are intending to run Tomcat 8, you might want > to get that fixed, first. > > >> You are correct, I was running Tomcat 7, which doesn't use the >> same syntax for digesting from the command prompt (I think it >> doesn't have the options for salt, iterations, etc.). So I >> updated to tomcat 8. Correct: you'll need Tomcat 8 for the salting and iterative hashing. >>>> <Realm className="org.apache.catalina.realm.DataSourceRealm" >>>> debug="99" > > The "debug" attribute hasn't been supported for something like 10 > years. > >>>> dataSourceName="jdbc/board" localDataSource="true" >>>> userTable="test_user" userNameCol="Email" >>>> userCredCol="HashedPassword" userRoleTable="test_user_role" >>>> roleNameCol="Role"> >>>> >>>> <CredentialHandler >>>> className="MessageDigestCredentialHandler" algorithm="SHA-1" >>>> iterations="1000" saltLength="48"/> > > Oh, good: someone is using the CredentialHandler to improve their > security. You might want to: > > 1. Switch to a larger hash, like SHA-256 2. Find out how much time > it takes to do 1000 SHA-1 (or SHA-256) hashes on your server. You > want the hashing to take more than a trivial amount of time. Our > services currently use more than 10k iterations of SHA-256. This > makes brute-forcing our password database very time consuming for > an attacker, if they were to capture the database itself. > >>>> </Realm> >>>> >>>> >>>> However, despite the password being stored in the format >>>> described in your "how to" manual >>>> (ie:{salt}${iterations}${password}), authentication fails. I >>>> assume that this is because something in my <Realm> >>>> configuration is wrong. > > Tomcat can generate a hash for you from the command-line: > > $ ./bin/digest.sh -a SHA-256 -i 1000 -s 48 'test' > test:04d9deb5f6f1f206c7139a28806e7ebde8f444018e0191168f8d00291d6e8719c d2 > > 5cc82eca073f9a925c005aadf238b$1000$22cb9257949205ffbff01088b46137cf768dc > 67a0faca26f48269ca9250d4d9b > > Let's take-apart that credential to see what's in there: > > hash: > > >> Don't you mean "salt" above, instead of "hash:"? Yes. > 04d9deb5 f6f1f206 c7139a28 806e7ebd e8f44401 8e019116 8f8d0029 > 1d6e8719 cd25cc82 eca073f9 a925c005 aadf238b > > That's 48 bytes (96 characters) of data. > > iteration count: 1000 (easy) > > fingerprint: 22cb9257 949205ff bff01088 b46137cf 768dc67a 0faca26f > 48269ca9 250d4d9b > > That's 32 bytes (64 characters) of data. SHA-1 produces 32-byte > output, so this looks good on the face of it. > > >> I think you mean "SHA-256" here, right? Yes, sorry. SHA-256 produces a 256-bit hash, which is 32 8-bit bytes. >> Yes, it looks correct. My issue is that I would like to run this >> "digest" from a servlet. How would I do that? I need to run it >> from a servlet because I need to enter it into my database (in >> the format {salt}${iterations}${passowrd}). Take a look at RealmBase to see how it does it. >> Should I even be doing it this way? This relates to my previous >> comment: Is there no way to call the same digest function that we >> ran from the command line, in a servlet? Sure. Look at how RealmBase does it. >> Indeed there is a digest method as part of the RealmBase API, I >> just don't know how to get an instance of the RealmBase Object >> from the servlet. Create a new one and fill it with the information you know about how you want to store passwords? >> I looked at the RealmBase class: > >> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/real m/RealmBase.html > >> I couldn't find where it mentions how to initially generate the >> stored credential. Could you give me a little more direction as >> to where I should look? You need to read the code, not look at the API. RealmBase just instantiates an instance of a CredentialHandler, configures it, and then calls its methods. Take a look at RealmBase's main() method. There's a lot of junk in there to handle handlers whose classes and methods are not known, but it boils down to: 1. Calling a constructor 2. Calling set[Stuff] several times 3. Calling a method that accepts the cleartext credential and produces an array of hashed bytes. You will have to manually assemble the {salt}${iterations}${hash} string, which should be trivial at that point. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVXkTAAAoJEBzwKT+lPKRYr0YP/1Av1CqR50qUNeHxNTxJVH1l u9FlARGcEZ/eZ7qDDBjsUiXneAlkTOk8ZZat6Gxs/aJvVH0YAKGXA2rUmVHDIOYo Af6iD2wsHhL9Y5OePiK4PJHXdS1+1XRS5bUc61vE5abCx+PsOkQv9aPWvZMGJ8mv rw/4Lq8PlOEA4cBZ3GShm4tcL7DIeWLttygZGP22iQmIBnl6UJ7gj2PE//ozQGUr wBjhKg2JwMrglDqbFBXciXUQhvEofXXCuJvvfcWevo1FD9aGZTSPAmEYAZmzMKlP 0iGaiSpCl5j5rIsEHJlvR4xe1unD79U3pGTQ/fL71QxJ8zt4XlCnKsEvHUsbttgb X0ylt1GlUmrroOHp9GTAE79OCatjwsIv1VB/MmBk/IFMNbH0c1hkPqzn9Qn6xd60 ssL7MPFXP8h8XzRHCLvJlxGtZ236YabKlI9BKK0HKnvSX7nMBDL8twHx8/3JM6MB czeyRgZj95+bOW1pco8skuSMtI0TjyZyxYLkf9nPvDJYVnje7OR9oMi/HIOMRdNb P+nHCZuNCAv+SNOLuQVMbx65NFBNK/LYPHzdzTCSEVaFsNNhUxnumX9rak9zHujV fDKaarRucIZVwFHNN1NiN2Ye1TVrgsyAHwujFQ1bYdPMlFRYdnBNhnFcFcXw7yL8 fRiWM+ehAToF4sOK90DD =wfoh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
