Chris,
Thanks for the quick and informative response.
On Wed, Mar 9, 2016 at 7:26 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
>> For authentication our configuration is using a MemoryRealm with
>> digest="SHA". We are storing usernames and passwords in a
>> tomcat-users.xml file. We are using a jaas.config which specifies to
>> use a org.apache.catalina.realm.JAASMemoryLoginModule. We have our
>> own implementation of a CallbackModule.
>
> I must admit I'm not sure how the JAAS configuration fits into all this
> (I simply have no JAAS experience). But I suspect that since
> JAASMemoryLoginRealm extends RealmBase, it needs to be configured similarly.
>
> The <Realm> you have in server.xml looks to be configured correctly, but
> I'm not sure it's being used if JAAS is in play. I wouldn't be surprised
> if JAAS is creating a separate instance of the JAASMemoryLoginRealm
> (which is a MemoryRealm) and never setting any of those properties.
>
I was wondering myself how those configurations interacted, if at all.
It does appear as if something like what you're describing is
happening. That makes me wonder if configuring Realm in server.xml is
necessary at all when JAAS is taking the reigns.
> It looks like the best way to set those properties is via the "options"
> for the realm:
>
>>> jaas.config:
>>> /** JAAS Login Configuration for the Application **/
>>>
>>> JAASTomcat {
>>> org.apache.catalina.realm.JAASMemoryLoginModule required debug=true;
>>> };
>
> Instead of simply "debug=true" for the options, we might want to add
> "digest=SHA" and then handle it in the initializer for JAASMemoryLoginRealm.
>
> I think the reason that this works in the older code is that the default
> algorithm of SHA is built-into the MemoryRealm and doesn't require the
> new CredentialHandler stuff. The new method for creating a
> CredentialHandler without actually specifying one (i.e. digest="SHA")
> requires that the "digest" actually be set to something. Since that's
> not happening, you get an NPE.
>
> Since you are willing to build your Tomcat from source, can I give you a
> patch to test?
>
> This is definitely a bug, please file it in Bugzilla if you wouldn't mind:
> https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208
>
For what it's worth, that analysis & approach to fixing seem
reasonable to me. Yes I'll be glad to file a bug report and test a
patch.
Thanks,
Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
