https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Bug ID: 66349
Summary: Why does LockOutRealm not support CredentialHandler?
Product: Tomcat 10
Version: 10.0.0
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Authentication
Assignee: dev@tomcat.apache.org
Reporter: tschoen...@am-soft.de
Target Milestone: ------
I have some webapp hosted by Tomcat and need to restrict user access to some
part of that. One additional requirement is that this app needs to be CIS
benchmark compliant and that requires to use LockOutRealm and restricts to
store plain-text passwords. Therefore, the ultimate solution in my case would
be the following:
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase">
> <CredentialHandler
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"
> algorithm="PBKDF2WithHmacSHA512"
> iterations="100000"
> keyLength="256"
> saltLength="16"
> />
> </Realm>
> </Realm>
But that doesn't work, because LockOutRealm ignores any credential handler.
Additionally, with my used Tomcat 10, I'm unable to set any "digest" attribute
on the realm itself anymore as well. The only way to fulfill both requirements
is to implement a custom realm.
> Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm
> setCredentialHandler
> WARNUNG: A CredentialHandler was set on an instance of the
> CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm
> doesn't use a configured CredentialHandler. Is this a configuration
> error?
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23
https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm
So, what's the reason of not supporting credential handlers for LockOutRealm?
Doesn't make too much sense to me, especially as most docs I came across use
LockOutRealm in combination with some other realm and there's no docs that a
fundamental concept like credential helpers will only work very limited in this
setup. Additionally, when researching about that task, some people even claim
that the above XML config works, but it simply can't. I don't see any code in
LockOutRealm to ask other realms about their credential handlers.
I've had a look at the bugtracker already and couldn't find this topic
discussed or a reason for the implementation. OTOH, someone did add some code
to explicitly log a warning message instead of fixing the underlying problem,
so most likely had some reason to do so.
Is the problem really to decide which of the child realms to choose for its
credential handler to use? In the easiest case simply use the first credential
handler found with a depth-first search, that should work for the majority of
use-cases. Other aspects of the config like default assumed nesting level of
realms and stuff seems to be hard-coded as well.
Would be glad to read about the reasons and at best if this could be enhanced.
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
