Thanks Christopher. It works. I through I had already changed to BASIC... did you understand that I was using DIGEST looking into those logs? Anyway yes I do not want to use MD5, but I was just testing the whole login. But thanks for the suggestion. Cheers R
Il giorno sab 20 feb 2021 alle ore 15:53 Christopher Schultz < ch...@christopherschultz.net> ha scritto: > Roberto, > > Welcome to the Tomcat users list! (See below...) > > On 2/19/21 17:14, Roberto Simoni wrote: > > Hi, I'm trying to configure digested password in an application. Just for > > example I was trying with MD5. > > First of all: > > * OS: CentOS Linux 7 (Core) > > * Tomcat full version: 9.0.43 > > Thanks for that. > > > I configured the Host in this way: > > > > <Host name="tradx.sixro.io" debug="0" appBase="webapps" > unpackWARs="true" > > autoDeploy="true"> > > <Context path="" docBase="/home/sixroio/sixro.io/tomcat/webapps/tradx > " > > crossContext="false" reloadable="true"> > > You don't want your <Context> defined here. > > http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context > > > <Resource name="jdbc/mydb" auth="Container" > type="javax.sql.DataSource" > > maxTotal="10" maxIdle="5" maxWaitMillis="5000" > > username="myusr" password="mypwd" > > driverClassName="org.mariadb.jdbc.Driver" > > url="jdbc:mariadb://localhost:3306/mydb"/> > > > > <Realm resourceName="DbRealm" > > className="org.apache.catalina.realm.DataSourceRealm" > > dataSourceName="jdbc/mydb" localDataSource="true" > > userTable="USERS" userNameCol="USER_NAME" > userCredCol="PASSWORD" > > userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" > debug="99"> > > <CredentialHandler > > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > > algorithm="MD5" ></CredentialHandler> > > Note that MD5 is super, super sucky. > > > </Realm> > > > > <Valve className="org.apache.catalina.valves.AccessLogValve" > > directory="/home/sixroio/sixro.io/tomcat/logs" > > prefix="tradx.sixro.io_log." suffix=".txt" > > pattern="common" resolveHosts="false"/> > > </Context> > > </Host> > > > > The authentication fails. For testing purposes I created a username usr > > with password 1 that in MD5 is c4ca4238a0b923820dcc509a6f75849b > > > > Enabling details in logs I found these rows: > > 19-Feb-2021 21:48:33.232 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Security > > checking request GET / > > 19-Feb-2021 21:48:33.233 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> > false > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Monitoring]' against GET /index.jsp --> > false > > 19-Feb-2021 21:48:33.234 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking > > constraint 'SecurityConstraint[Tradx]' against GET /index.jsp --> true > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > > hasUserDataPermission() > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.hasUserDataPermission User data > > constraint has no restrictions > > 19-Feb-2021 21:48:33.235 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > > authenticate() > > 19-Feb-2021 21:48:33.486 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.realm.RealmBase.authenticate Digest : > > 3038dd372061bee3cfa5e1a510bea637 Username:usr > > ClientDigest:3038dd372061bee3cfa5e1a510bea637 > > nonce:1613771311042:138f42717e6782847a85f249e2deedae nc:00000002 > > cnonce:c5513c3d36b6b643 qop:auth > > realm:DbRealmmd5a2:71998c64aea37ae77020c49c00f73fa8 Server > > digest:a66b50234577cb13076d3a117102c955 > > 19-Feb-2021 21:48:33.487 FINE [ajp-nio-127.0.0.1-33407-exec-2] > > org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed > > authenticate() test > > You are using HTTP-Digest authentication which is not what you have > configured for your CredentialHandler. > > There is some confusing naming, here. Java has a class called > MessageDigest which takes bytes and produces signatures. In the > industry, it's sometimes now called "digesting" which is IMO confusing > and wrong. It would be better to call it "hashing" because it doesn't > conflict with other uses of that word. > > HTTP-Digest is an authentication system which does some hand-wavy > magic[1] to hide your password from going over the network if you are > using unencrypted channels. This was great back in 1995 but it's a bad > system IMO because the server needs to have your cleartext password in > order to perform authentication. There are ways to store "not the > cleartext" on the server-side, but they are even more awkward. > > I would recommend: > > 1. Use TLS for security > 2. Use HTTP Basic authentication for simplicity > 3. Don't use MD5 :) > > You can't securely use #2 without #1. > > To change from HTTP-Digest to HTTP-Basic, just change your web.xml: > > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>file</realm-name> > </login-config> > > You are still using "digested"/"hashed" passwords on the server-side, so > don't worry about that. > > Might I suggest that you consider using a better hashing algorithm than > MD5? Something like SHA512 with salt and iterations? Or, maybe PBKDF2 or > bcrypt? > > I'd recommend reading this: > https://tomcat.apache.org/presentations.html#latest-credential-security > > Hope that helps, > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
