Re: Accessing Credential handler inside the web application always returns null

2023-10-30 Thread Christopher Schultz 

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:

Hi everyone!I'm trying to test CredentialHandeler functionality onour test 
server (Tomcat 9.0.64) inside the web-app
I Our realm is defined as follows( excerpt from server.xml
)
 


  
  

Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic  
login  controller code  (LoginCheckServlet)
LoginCheckServlet

  protected void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
...
  String userName = request.getParameter("j_username");
String password = request.getParameter("j_password");
  HttpSession session = request.getSession();

   UserRecord user=... //load data from db
if 
(user.checkCorrectPassword(password,session.getServletContext())) {
  CredentialHandler 
cr=Security.getCredentialHandler(getServletContext());
  System.out.println(cr.mutate(password));// hoping 
to see my password displayed as pbkdf2 hash

.
}

Security.getCredentialHandler

  public static CredentialHandler getCredentialHandler(final ServletContext 
context) {
System.out.println("context"+context) ;// prints 
contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
System.out.println("context vs"+context.getMajorVersion()); // 
prints 4

System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
  prints ATRIB null
return (CredentialHandler) 
context.getAttribute(Globals.CREDENTIAL_HANDLER);
}


Your code and configuration looks reasonable to me.


So basically it always  return null  when trying to access
CredentialHandler attribute inside Security.getCredentialHandler
method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a 
changelog[1] entry which may be important for you:


"
Fix: Improve the behavior of the credential handler attribute that is 
set in the Servlet context so that it actually reflects what is used 
during authentication. (remm)

"

There was a problem specifically with the NestedCredentialHandler, I 
think, which was not working as expected. 9.0.70 includes a fix that 
should improve things for you.


-chris


[1] 
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Accessing Credential handler inside the web application always returns null

2023-10-30 Thread Усманов Азат Анварович 
I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler 
is still null

От: Christopher Schultz 
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List ; Усманов Азат Анварович 

Тема: Re: Accessing Credential handler inside the web application always 
returns null

Азат,

On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality onour 
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
>   dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD" 
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles" 
> userTable="educ.ad_Users">
>  className="org.apache.catalina.realm.NestedCredentialHandler">
>  className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
> algorithm="MD5" />
>   
> 
> Currently pwd  column defined as  Oracle (RAW) only stores md5 hashes, I was 
> hoping to upgrade to PBKDF2 using tomcat ?so  here is the relevant part basic 
>  login  controller code  (LoginCheckServlet)
> LoginCheckServlet
>
>   protected void doGet(HttpServletRequest request, HttpServletResponse 
> response) throws ServletException, IOException {
> ...
>   String userName = request.getParameter("j_username");
> String password = request.getParameter("j_password");
>   HttpSession session = request.getSession();
> 
>    UserRecord user=... //load data from db
> if 
> (user.checkCorrectPassword(password,session.getServletContext())) {
>   CredentialHandler 
> cr=Security.getCredentialHandler(getServletContext());
>   System.out.println(cr.mutate(password));// 
> hoping to see my password displayed as pbkdf2 hash
>
> .
> }
>
> Security.getCredentialHandler
>
>   public static CredentialHandler getCredentialHandler(final 
> ServletContext context) {
> System.out.println("context"+context) ;// prints 
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
> System.out.println("context vs"+context.getMajorVersion()); // 
> prints 4
> 
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
>   prints ATRIB null
> return (CredentialHandler) 
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
> }

Your code and configuration looks reasonable to me.

> So basically it always  return null  when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:

"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"

There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.

-chris


[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)

Need Help : Unable to write back a response error code from ReadListener#onError

2023-10-30 Thread Adwait Kumar Singh 
Hi,

I am using the async Servlet API and NIO, by setting a ReadListener.

In the onError of the ReadListener, I am catching a SocketTimeoutException
and trying to send back an error code 408. Here is the simplified example
of what I am trying to do,

@Override
> public void onError(Throwable failure) {
> if(failure instanceof SocketTimeoutException) {
> response.sendError(408);
> request.getAsyncContext().complete();
> }
> }
>
>
However, Tomcat just refuses to send back the error I want and instead just
closes the connection. Am I missing something trivial or is this supposed
to be achieved in a different way?

I am using Tomcat 9.0.82 and the Http11NioEndpoint.


Thanks,
Adwait.

Re: Need Help : Unable to write back a response error code from ReadListener#onError

2023-10-30 Thread Adwait Kumar Singh 
FYI, I am doing the async processing on the Container thread itself, just
that I yield the thread back if I can't read without blocking.

Based on the code here
,
I see that the error is only dispatched if the request is not being
executed in the container thread.

On Mon, Oct 30, 2023 at 3:25 PM Adwait Kumar Singh 
wrote:

> Hi,
>
> I am using the async Servlet API and NIO, by setting a ReadListener.
>
> In the onError of the ReadListener, I am catching a SocketTimeoutException
> and trying to send back an error code 408. Here is the simplified example
> of what I am trying to do,
>
> @Override
>> public void onError(Throwable failure) {
>> if(failure instanceof SocketTimeoutException) {
>> response.sendError(408);
>> request.getAsyncContext().complete();
>> }
>> }
>>
>>
> However, Tomcat just refuses to send back the error I want and instead
> just closes the connection. Am I missing something trivial or is this
> supposed to be achieved in a different way?
>
> I am using Tomcat 9.0.82 and the Http11NioEndpoint.
>
>
> Thanks,
> Adwait.
>