'Re: How do auth-method BASIC and DIGEST play together with some credential helper?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: How do auth-method BASIC and DIGEST play together with some credential helper?
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2022-11-16 12:17:28
Message-ID: 1238d1fd-33ea-8522-f5bb-d69d2218d2d1 () christopherschultz ! net
[Download RAW message or body]

Thorsten,

On 11/16/22 02:36, Thorsten Schöning wrote:
> Guten Tag Christopher Schultz,
> am Mittwoch, 16. November 2022 um 04:17 schrieben Sie:
> 
>> You should double-check the definition of "compliant to CIS
>> benchmark spec" because there is no way in hell that HTTP DIGEST is
>> required.[...]
> 
> The spec doesn't tell me exactly to use auth-method DIGEST, but their
> example configs and stuff use exactly that.
> 
>> $ grep -i <login-config>[.\n]*<auth-method>DIGEST</auth-method>[.\n]*<realmname>
>> UserDatabase</realm-name>[.\n]*</login-config>
>> $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
> 
> And here it comes:
> 
>> If a Realm exists without a digest attribute or without a value for
>> the digest attribute, this is a fail.

I see. This is a *super* old document, then. Because that suggests you 
can use MD5 which is not acceptable as a hashing algorithm in 2022.

> That sentence is for Tomcat 9, in which that attribute has been removed
> as well already, didn't it? They don't even mention any credential
> handler possible in Tomcat at all, even those are superior than using
> the digest attribute.

Agreed. Tomcat 9 should still support "digest" simply due to Tomcat 9's 
long history. I believe "digest" was only removed in Tomcat 10 a later.

> So this whole abstract seems broken in the CIS spec to me and I just
> needed to collect input how to deal with that. OTOH, thinking about
> it again, the customer says to run automatic CIS checks using some app
> and that didn't complain about auth-method BASIC yet. So using that
> with PBKDF2WithHmacSHA512 seems to be fine even more.

I should hope that, with an explanation, you will be able to get an 
exemption for that rather outdated rule.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic