Re: How to custom java program to decrypt keystore password in Tomcat 10.1.15

2023-10-27 Thread Mark Thomas 

On 26/10/2023 11:05, yanyizhong wrote:



Hi Tomcat team,
Version: Tomcat 10.1.15


I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found that 
there is no setKeystorePass(String) method in tomcat 10.1.15.


As we want to use the custom keystore encryption password in server.xml like 
this:





And this "encrypted" password is "decrypted" how?
https://cwiki.apache.org/confluence/display/TOMCAT/Password
(Hint: this is a waste of time from a security perspective.)

If you can find a way to make this work then you are welcome to use it 
but I am sure as I can be that if source code changes are required in 
Tomcat to make this work they won't be happening.


I suspect the way to do this (if you really must) would be via a custom 
PropertySource. If you look at the existing implementations then you 
should have enough hints to put together an implementation that looks 
for "enc:" and "decrypts" what it finds.


Note that org.apache.tomcat.util.digester.PROPERTY_SOURCE multiple 
values, separated by commas.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9.0.75 ignoring session timeout configured in tomcat conf web.xml

2023-10-27 Thread Channa Puchakayala 
Hi All,

Bug already raised below against Tomcat for the same issue.

https://bz.apache.org/bugzilla/show_bug.cgi?id=67793

Thank You Mark.

Regards
Channa

-Original Message-
From: Mark Thomas 
Sent: Friday, October 27, 2023 11:25 AM
To: Tomcat Users List 
Subject: Re: Tomcat 9.0.75 ignoring session timeout configured in tomcat
conf web.xml

26 Oct 2023 05:01:49 Channa Puchakayala
:

> Hi All,
>
>
> Tomcat Version : 9.0.75
> Operating System: Windows and Linux
> Bits: 64
>
>
> Tomcat 9.0.75 ignoring session timeout configured in
> tomcat/conf/web.xml, it is overriding previous session timeout setting
> and effecting existing customers.
> ==
>
> 30
> 
> =
>
>
> Looks this change/issue started from Tomcat Version : 9.0.74 for
> FormAuthenticator, why it overwrites the original session-timeout ? is
> it bug ? Could you please help/suggest.

Have you checked the open issues in bugzilla?

Have you checked Bugzilla / CI changelog to see if the issue has already
been fixed for the next release?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

2023-10-27 Thread Christopher Schultz 

Channa,

On 10/27/23 00:07, Channa Puchakayala wrote:

Tomcat Version : 9.0.75

Operating System: Windows and Linux

Bits: 64

Tomcat 9.0.75 not honoring  session timeout configured in 
tomcat/conf/web.xml for FORM Authentication and it is effecting customers.


==

    

     30 // 30 minutes

     

=

Verified the Tomcat source code

-FormAuthenticator overriding above configured session timeout setting 
(30 minutes)  with value (120 seconds)


-As per FormAuthenticator.Java, this change/issue started from Tomcat 
Version : 9.0.74 for FORM Authentication and it overwrites the original 
session-timeout value


-This issue/behavior not observed in 9.0.73

Verified the Tomcat documentation

-Verified the tomcat changelog, there is a fix/change went in Tomcat 
9.0.74 below related to FORM Based Authentication Session @ 
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html 
, looks which 
is causing this issue.



Can you please state clearly what the issue actually is? This is 
documented behavior of Tomcat. There is a well-documented setting that 
you can adjust if necessary.


Are you reporting a problem? If so, it is not clear from your message above.

What test did you perform?
What did you expect to happen?
What actually happened that was different from your expectation?

-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to custom java program to decrypt keystore password in Tomcat 10.1.15

2023-10-27 Thread Christopher Schultz 

yanyizhong and Mark,

On 10/27/23 04:44, Mark Thomas wrote:

On 26/10/2023 11:05, yanyizhong wrote:



Hi Tomcat team,
Version: Tomcat 10.1.15


I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and 
found that there is no setKeystorePass(String) method in tomcat 10.1.15.



As we want to use the custom keystore encryption password in 
server.xml like this:



chiphhers="TLS_ECDHE_RSA_WITH_AES_123_GCM_SHA256"

   keystoreFile="E:\tes.jks"
   keystorePass="xsdfdfdsfdfxdf(encryption password)"
   keystoreType"JKS" />


And this "encrypted" password is "decrypted" how?
https://cwiki.apache.org/confluence/display/TOMCAT/Password
(Hint: this is a waste of time from a security perspective.)

If you can find a way to make this work then you are welcome to use it 
but I am sure as I can be that if source code changes are required in 
Tomcat to make this work they won't be happening.


I suspect the way to do this (if you really must) would be via a custom 
PropertySource. If you look at the existing implementations then you 
should have enough hints to put together an implementation that looks 
for "enc:" and "decrypts" what it finds.


Note that org.apache.tomcat.util.digester.PROPERTY_SOURCE multiple 
values, separated by commas.


I've been experimenting with the ServiceBindingPropertySource lately 
and, IMHO, improving it. It was contributed to the project some time ago 
and is woefully under-documented. I'm looking to change that. At first, 
I was thinking about a full hour-ish presentation, but it looks like 
it's better as a short webinar or even just patches to the existing 
documentation.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to custom java program to decrypt keystore password in Tomcat 10.1.15

2023-10-27 Thread Mcalexander, Jon J. 
You could look at how TC Server does this. Their tcserver.jar has an 
encoder/decoder in it and the class is loaded as a digester in the 
Catalina.properties. It relies on having a prefix on the encoded value that 
would subsequently be decoded and the property value replaced with the decoded 
value. The passwords have to be encoded prior to adding them to your 
configuration files. It's fairly easy to do.

You might be able to come up with something similar on your own.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Friday, October 27, 2023 3:45 AM
> To: users@tomcat.apache.org
> Subject: Re: How to custom java program to decrypt keystore password in
> Tomcat 10.1.15
> 
> On 26/10/2023 11:05, yanyizhong wrote:
> >
> >
> > Hi Tomcat team,
> > Version: Tomcat 10.1.15
> >
> >
> > I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found
> that there is no setKeystorePass(String) method in tomcat 10.1.15.
> >
> >
> > As we want to use the custom keystore encryption password in server.xml
> like this:
> >
> >
> >  chiphhers="TLS_ECDHE_RSA_WITH_AES_123_GCM_SHA256"
> >keystoreFile="E:\tes.jks"
> >keystorePass="xsdfdfdsfdfxdf(encryption password)"
> >keystoreType"JKS" />
> 
> And this "encrypted" password is "decrypted" how?
> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/
> TOMCAT/Password__;!!F9svGWnIaVPGSwU!sJRkxJv4qdFjO7jusA2u0eRFDEx
> Wji3SkfxRWuu9WY0xWKUWAu8p7qwvQkIU9PHtKGKlG4BOPViaYubUO15UL
> g$
> (Hint: this is a waste of time from a security perspective.)
> 
> If you can find a way to make this work then you are welcome to use it but I
> am sure as I can be that if source code changes are required in Tomcat to
> make this work they won't be happening.
> 
> I suspect the way to do this (if you really must) would be via a custom
> PropertySource. If you look at the existing implementations then you should
> have enough hints to put together an implementation that looks for "enc:"
> and "decrypts" what it finds.
> 
> Note that org.apache.tomcat.util.digester.PROPERTY_SOURCE multiple
> values, separated by commas.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org