On Sep 14, 2016, at 5:37 PM, Christopher Schultz <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian, On 9/14/16 3:40 PM, Paquin, Brian wrote: I was able to setup Tomcat 8.0.35 to use a SHA hashed password in tomcat-users.xml (trying to secure the Manager app a bit more), but the same setup does not work on 8.5.5. Is there something I need to change to get this to work again? Yes. server.xml engine: <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" deployXML="true"> <Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> Command to generate hash that was used as the user’s password in tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA my_password In 8.5.5, I can login to Manager if I replace the SHA hash with the plaintext version of the password… I read through https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but still can’t get it to work. Have a look at http://tomcat.apache.org/migration-85.html, specifically http://tomcat.apache.org/migration-85.html#Internal_APIs Note that SHA passwords are no better than plaintext passwords. If you want to *actually* add some security, you need to at least use salted passwords. Better yet, use a PBKDF. I tried using the following in server.xml: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" iterations=“24680" saltLength="18" /> </Realm> And then using: /usr/local/tomcat/bin/digest.sh -a SHA-256 -i 24680 -s 18 secret_password And got back: secret_password:9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w91729qfc3786d74ac95223e092faf996500dc532a74905 I then added that to my tomcat-users.xml: <user username=“my_username" password="9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w91729qfc3786d74ac95223e092faf996500dc532a74905" roles=“manager-gui,admin,admin-gui”/> After stopping and starting Tomcat, manager asks for credentials but does not accept them. What have I got wrong? (I was hoping to use PBKDF2 but it did not appear that digest.sh would accept PBKDF2 as an algorithm.) Brian You might want to have a look at this presentation: http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org<http://gpgtools.org/> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw /mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho 5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa 102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8 C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8 LXmKRsuWXsrTt6OOA9wZ =2Z2D -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> [Yale Pathology Logo] Brian Paquin Help Desk Support Yale Pathology ITS --------------------------------------------------- 310 Cedar St. BML B50 New Haven, CT 06520 203-785-3691-office 203-785-2403-fax