Rémy and Thorsten,
On 11/15/22 06:59, Rémy Maucherat wrote:
On Tue, Nov 15, 2022 at 11:11 AM Thorsten Schöning
<tschoen...@am-soft.de> wrote:
Hi everyone,
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark compliant and that requires to use
LockOutRealm and restricts to store plain-text passwords. Therefore,
the ultimate solution in my case would be the following:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler
className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
/>
</Realm>
</Realm>
But that doesn't work, because LockOutRealm ignores any credential
handler. Additionally, with my used Tomcat 10, I'm unable to set any
"digest" attribute on the realm itself anymore as well. The only way
to fulfill both requirements is to implement a custom realm.
Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm
setCredentialHandler
WARNUNG: A CredentialHandler was set on an instance of the
CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm
doesn't use a configured CredentialHandler. Is this a configuration
error?
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm
So, what's the reason of not supporting credential handlers for
LockOutRealm?
Doesn't make too much sense to me, especially as most docs I came
across use LockOutRealm in combination with some other realm and
there's no docs that a fundamental concept like credential helpers
won't work at all in this setup. Additionally, when researching about
that task, some people even claim that the above XML config works, but
it simply can't. I don't see any code in LockOutRealm to ask other
realms about their credential handlers.
I've had a look at the bugtracker already and couldn't find this topic
discussed or a reason for the implementation. OTOH, someone did add
some code to explicitly log a warning message instead of fixing the
underlying problem.
Is the problem really to decide which of the child realms to choose
for its credential handler to use? In the easiest case simply use the
first credential handler found with a depth-first search, that should
work for the majority of use-cases. Other aspects of the config like
default assumed nesting level of realms and stuff seem hard-coded as
well.
Would be glad to read some thoughts, as I need to decide how to deal
with this limitation right now. Thanks!
Ok, this is a bit confusing. Everything is configured properly if you
nest the CredentialHandler on the right realm (the UserDatabaseRealm).
However, the CredentialHandler exposed by
getAttribute(Globals.CREDENTIAL_HANDLER) is always the
CredentialHandler from the realm attached to the context, here it is
LockOutRealm, which isn't very useful.
Hmm. You're absolutely right, and it's probably my mistake by doing
that. I'll review the code. When you have nested Realms (e.g.
CombinedRealm) things can get ... weird if you have multiple credential
handlers on each one. It may not always be obvious which one to choose
or how to combine them. So interrogating the outer realm for a
credential-handler may not really be possible without just
explicitly-setting a credential handler that knows what to do on the
outermost realm.
Maybe NestedCredentialHandler could be used to construct a
CredentialHandler that could be useful to the application, but this
needs more thought.
The CredentialHandler set in the application scope is indeed intended to
be used by the application, for example to allow for in-app password
changes. The idea is that the application should be able to use the same
password-mangling rules used by Tomcat without necessarily having to
know what those rules are.
Thorsten, what makes you say "it doesn't work" and "LockoutRealm ignores
any credential handler"? When you say "it doesn't work"... what DOES it do?
In Tomcat 10 BTW, the "digest" attribute has been removed in favor of a
properly-configured <CredentialHandler>. Note that you can't use
"digest" and also get acceptable security out of the Realm, anyway.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
