On Tue, Nov 15, 2022 at 11:11 AM Thorsten Schöning <tschoen...@am-soft.de> wrote: > > Hi everyone, > > I have some webapp hosted by Tomcat and need to restrict user access > to some part of that. One additional requirement is that this app > needs to be CIS benchmark compliant and that requires to use > LockOutRealm and restricts to store plain-text passwords. Therefore, > the ultimate solution in my case would be the following: > > > <Realm className="org.apache.catalina.realm.LockOutRealm"> > > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"> > > <CredentialHandler > > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > > algorithm="PBKDF2WithHmacSHA512" > > iterations="100000" > > keyLength="256" > > saltLength="16" > > /> > > </Realm> > > </Realm> > > But that doesn't work, because LockOutRealm ignores any credential > handler. Additionally, with my used Tomcat 10, I'm unable to set any > "digest" attribute on the realm itself anymore as well. The only way > to fulfill both requirements is to implement a custom realm. > > > Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm > > setCredentialHandler > > WARNUNG: A CredentialHandler was set on an instance of the > > CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm > > doesn't use a configured CredentialHandler. Is this a configuration > > error? > > https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23 > https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466 > https://tomcat.apache.org/tomcat-9.0-doc/changelog.html > https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm > > So, what's the reason of not supporting credential handlers for > LockOutRealm? > > Doesn't make too much sense to me, especially as most docs I came > across use LockOutRealm in combination with some other realm and > there's no docs that a fundamental concept like credential helpers > won't work at all in this setup. Additionally, when researching about > that task, some people even claim that the above XML config works, but > it simply can't. I don't see any code in LockOutRealm to ask other > realms about their credential handlers. > > I've had a look at the bugtracker already and couldn't find this topic > discussed or a reason for the implementation. OTOH, someone did add > some code to explicitly log a warning message instead of fixing the > underlying problem. > > Is the problem really to decide which of the child realms to choose > for its credential handler to use? In the easiest case simply use the > first credential handler found with a depth-first search, that should > work for the majority of use-cases. Other aspects of the config like > default assumed nesting level of realms and stuff seem hard-coded as > well. > > Would be glad to read some thoughts, as I need to decide how to deal > with this limitation right now. Thanks!
Ok, this is a bit confusing. Everything is configured properly if you nest the CredentialHandler on the right realm (the UserDatabaseRealm). However, the CredentialHandler exposed by getAttribute(Globals.CREDENTIAL_HANDLER) is always the CredentialHandler from the realm attached to the context, here it is LockOutRealm, which isn't very useful. Maybe NestedCredentialHandler could be used to construct a CredentialHandler that could be useful to the application, but this needs more thought. Rémy > > Mit freundlichen Grüßen > > Thorsten Schöning > > -- > AM-SoFT IT-Service - Bitstore Hameln GmbH > Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK > > E-Mail: thorsten.schoen...@am-soft.de > Web: http://www.AM-SoFT.de/ > > Tel: +49 5151- 9468- 0 > Tel: +49 5151- 9468-55 > Mobil: +49 178-8 9468-04 > > AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln > AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska > > > Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. > > Mit freundlichen Grüßen, > > Thorsten Schöning > > > Telefon: +49 5151 9468-55 > Fax: > E-Mail: tschoen...@am-soft.de > > AM-Soft IT-Service - Bitstore Hameln GmbH > Brandenburger Straße 7c > 31789 Hameln > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen > und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf > diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie > nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, > informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. > Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen > jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das > Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte > Information untersagt. > > This e-mail may contain confidential and/or privileged information and is > intended solely for the addressee. Access to this email by anyone else is > unauthorized. If you are not the intended recipient (or have received this > e-mail in error) please notify the sender immediately and destroy this > e-mail. If you are not the intended recipient, any disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it, is > prohibited and may be unlawful. > > Hinweise zum Datenschutz: bitstore.group/datenschutz > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org