On Sep 14, 2016, at 5:37 PM, Christopher Schultz 
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brian,

On 9/14/16 3:40 PM, Paquin, Brian wrote:
I was able to setup Tomcat 8.0.35 to use a SHA hashed password in
tomcat-users.xml (trying to secure the Manager app a bit more),
but the same setup does not work on 8.5.5.

Is there something I need to change to get this to work again?

Yes.

server.xml engine: <Engine name="Catalina"
defaultHost="localhost"> <Realm
className="org.apache.catalina.realm.LockOutRealm" failureCount="3"
lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/> </Realm> <Host name="localhost"
appBase="webapps" unpackWARs="true" autoDeploy="true"
deployXML="true"> <Realm
className="org.apache.catalina.realm.MemoryRealm" digest="SHA" />
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />

Command to generate hash that was used as the user’s password in
tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA
my_password

In 8.5.5, I can login to Manager if I replace the SHA hash with
the plaintext version of the password…

I read through
https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but
still can’t get it to work.

Have a look at http://tomcat.apache.org/migration-85.html,
specifically http://tomcat.apache.org/migration-85.html#Internal_APIs

Note that SHA passwords are no better than plaintext passwords. If you
want to *actually* add some security, you need to at least use salted
passwords. Better yet, use a PBKDF.

I tried using the following in server.xml:
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase">
          <CredentialHandler 
className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
algorithm="SHA-256" iterations=“24680" saltLength="18" />
        </Realm>

And then using:
/usr/local/tomcat/bin/digest.sh -a SHA-256 -i 24680 -s 18 secret_password

And got back:
secret_password:9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w91729qfc3786d74ac95223e092faf996500dc532a74905

I then added that to my tomcat-users.xml:
<user username=“my_username" 
password="9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w91729qfc3786d74ac95223e092faf996500dc532a74905"
 roles=“manager-gui,admin,admin-gui”/>

After stopping and starting Tomcat, manager asks for credentials but does not 
accept them.
What have I got wrong?

(I was hoping to use PBKDF2 but it did not appear that digest.sh would accept 
PBKDF2 as an algorithm.)

Brian

You might want to have a look at this presentation:
http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra
des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org<http://gpgtools.org/>
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw
/mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo
UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ
SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP
pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq
c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho
5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg
xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa
102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8
C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO
Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8
LXmKRsuWXsrTt6OOA9wZ
=2Z2D
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>

[Yale Pathology Logo]
Brian Paquin
Help Desk Support Yale Pathology ITS
---------------------------------------------------
310 Cedar St. BML B50
New Haven, CT 06520
203-785-3691-office
203-785-2403-fax

Reply via email to