'RE: Accessing Credential handler inside the web application always returns null'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: Accessing Credential handler inside the web application always returns null
From:       Усман� <usmanov () ie
Date:       2023-10-31 17:53:14
Message-ID: AM0PR03MB614670BD52F205B3E277727FA3A0A () AM0PR03MB6146 ! eurprd03 ! prod ! outlook ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi everyone! CredentialHandler became not null, as soon as I transferred Realm \
definition from server.xml to context.xml(after checking the source code) .I've been \
able to see the new pbkdf2 version of the given clear text password even with old  \
9.0.64  version. I was wondering is the necessity to have realm defined inside \
context. xml for accessing CredentialHandler a design decision or a possible  bug in \
tomcat itself?. It wasn't mentioned in tomcat documentation. Perhaps it should be \
added in the docs. ________________________________
От: Усманов Азат Анварович <usmanov@ieml.ru>
Отправлено: 30 октября 2023 г. 20:25
Кому: users@tomcat.apache.org <users@tomcat.apache.org>
Тема: RE: Accessing Credential handler inside the web application always returns \
null

I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler is \
still null ________________________________
От: Christopher Schultz <chris@christopherschultz.net>
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List <users@tomcat.apache.org>; Усманов Азат \
Анварович <usmanov@ieml.ru> Тема: Re: Accessing Credential handler \
inside the web application always returns null

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality on    our test \
> server (Tomcat 9.0.64) inside the web-app I Our realm is defined as follows( \
> excerpt from server.xml )
> <Realm className="org.apache.catalina.realm.DataSourceRealm" \
> dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" \
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users"> \
> <CredentialHandler className="org.apache.catalina.realm.NestedCredentialHandler"> \
> <CredentialHandler  \
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"/> \
> <CredentialHandler \
> className="org.apache.catalina.realm.MessageDigestCredentialHandler" \
> algorithm="MD5" /> </CredentialHandler>
> </Realm>
> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was hoping \
> to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic  login  \
> controller code  (LoginCheckServlet) LoginCheckServlet
> 
>       protected void doGet(HttpServletRequest request, \
>                 HttpServletResponse response) throws ServletException, IOException \
>                 {
> ...
>       String userName = request.getParameter("j_username");
>             String password = \
> request.getParameter("j_password");       HttpSession session = \
> request.getSession();             
>                  UserRecord user=... //load data \
> from db                         if \
> (user.checkCorrectPassword(password,session.getServletContext())) { \
>                               CredentialHandler \
> cr=Security.getCredentialHandler(getServletContext()); \
>                               System.out.println(cr.mutate(password));// \
> hoping to see my password displayed as pbkdf2 hash 
> .....
> }
> 
> Security.getCredentialHandler
> 
>       public static CredentialHandler getCredentialHandler(final \
> ServletContext context) { \
>             System.out.println("context"+context) ;// \
> prints contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7 \
>             System.out.println("context \
> vs"+context.getMajorVersion()); // prints 4 \
>             System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always \
> prints ATRIB null             return (CredentialHandler) \
> context.getAttribute(Globals.CREDENTIAL_HANDLER); \
>             }

Your code and configuration looks reasonable to me.

> So basically it always  return null  when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:

"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"

There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.

-chris


[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic