Java 9+ and custom JCE/JSSE providers
Hello, I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for version later than Java 8. Ran into an issue: 1. Was looking the configure the additional bouncy castle providers in the Java install itself by: * Modifying the java.security file to add providers. * Place the jars in the Java'e lib/ext directory. 2. However, from Java 9+, the lib/ext directory is no longer present (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) 3. The alternate I attempted was to place the additional provider jars in Tomcat's lib directory. 4. Create a java security properties file with: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX 1. Launch Tomcat with JVM option -Djava.security.properties=file:/path/to/java_security_properties_file 2. However, I noticed that these BC providers weren't getting loaded. I see a comment from Chris here - https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html "I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way." Not sure if it's relevant here. But wanted to know if there is any way to configure Tomcat for Java 9+ with custom JSSE/JCE providers (with just config change) ? Maybe I missed something? Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat 9, by registering a custom listener and adding providers there. Will soon update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. Thanks, Amit
RE: Accessing Credential handler inside the web application always returns null
Hi everyone! CredentialHandler became not null, as soon as I transferred Realm
definition from server.xml to context.xml(after checking the source code) .I've
been able to see the new pbkdf2 version of the given clear text password even
with old 9.0.64 version. I was wondering is the necessity to have realm
defined inside context. xml for accessing CredentialHandler a design decision
or a possible bug in tomcat itself?. It wasn't mentioned in tomcat
documentation. Perhaps it should be added in the docs.
От: Усманов Азат Анварович
Отправлено: 30 октября 2023 г. 20:25
Кому: users@tomcat.apache.org
Тема: RE: Accessing Credential handler inside the web application always
returns null
I did recheck using 9.0.82, unfortunately nothing has changed CredentialHandler
is still null
От: Christopher Schultz
Отправлено: 30 октября 2023 г. 18:52
Кому: Tomcat Users List ; Усманов Азат Анварович
Тема: Re: Accessing Credential handler inside the web application always
returns null
Азат,
On 10/29/23 20:45, Усманов Азат Анварович wrote:
> Hi everyone!I'm trying to test CredentialHandeler functionality onour
> test server (Tomcat 9.0.64) inside the web-app
> I Our realm is defined as follows( excerpt from server.xml
> )
> dataSourceName="jdbc/IEML_DB" roleNameCol="RoleName" userCredCol="PWD"
> userNameCol="UserName" userRoleTable="educ.ad_UserRoles"
> userTable="educ.ad_Users">
> className="org.apache.catalina.realm.NestedCredentialHandler">
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"/>
>className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> algorithm="MD5" />
>
>
> Currently pwd column defined as Oracle (RAW) only stores md5 hashes, I was
> hoping to upgrade to PBKDF2 using tomcat ?so here is the relevant part basic
> login controller code (LoginCheckServlet)
> LoginCheckServlet
>
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
> ...
> String userName = request.getParameter("j_username");
> String password = request.getParameter("j_password");
> HttpSession session = request.getSession();
>
> UserRecord user=... //load data from db
> if
> (user.checkCorrectPassword(password,session.getServletContext())) {
> CredentialHandler
> cr=Security.getCredentialHandler(getServletContext());
> System.out.println(cr.mutate(password));//
> hoping to see my password displayed as pbkdf2 hash
>
> .
> }
>
> Security.getCredentialHandler
>
> public static CredentialHandler getCredentialHandler(final
> ServletContext context) {
> System.out.println("context"+context) ;// prints
> contextorg.apache.catalina.core.ApplicationContextFacade@33f1f7c7
> System.out.println("context vs"+context.getMajorVersion()); //
> prints 4
>
> System.out.println("ATRIB"+context.getAttribute(Globals.CREDENTIAL_HANDLER));//always
> prints ATRIB null
> return (CredentialHandler)
> context.getAttribute(Globals.CREDENTIAL_HANDLER);
> }
Your code and configuration looks reasonable to me.
> So basically it always return null when trying to access
> CredentialHandler attribute inside Security.getCredentialHandler
> method,Any idea why it might be the case ?
Are you able to re-try with Tomcat 9.0.70 or later? There is a
changelog[1] entry which may be important for you:
"
Fix: Improve the behavior of the credential handler attribute that is
set in the Servlet context so that it actually reflects what is used
during authentication. (remm)
"
There was a problem specifically with the NestedCredentialHandler, I
think, which was not working as expected. 9.0.70 includes a fix that
should improve things for you.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.70_(remm)
Re: Java 9+ and custom JCE/JSSE providers
On 31/10/2023 14:22, Amit Pande wrote: Hello, I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for version later than Java 8. Ran into an issue: 1. Was looking the configure the additional bouncy castle providers in the Java install itself by: * Modifying the java.security file to add providers. * Place the jars in the Java'e lib/ext directory. 2. However, from Java 9+, the lib/ext directory is no longer present (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) 3. The alternate I attempted was to place the additional provider jars in Tomcat's lib directory. 4. Create a java security properties file with: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX 1. Launch Tomcat with JVM option -Djava.security.properties=file:/path/to/java_security_properties_file 2. However, I noticed that these BC providers weren't getting loaded. You'll also need to add the JARS containing the providers to the class path so the JRE can load them. You should be able to do that (and set java.security.properties) in setenv.sh|bat Mark I see a comment from Chris here - https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html "I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way." Not sure if it's relevant here. But wanted to know if there is any way to configure Tomcat for Java 9+ with custom JSSE/JCE providers (with just config change) ? Maybe I missed something? Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat 9, by registering a custom listener and adding providers there. Will soon update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. Thanks, Amit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help : Unable to write back a response error code from ReadListener#onError
On 30/10/2023 22:25, Adwait Kumar Singh wrote:
Hi,
I am using the async Servlet API and NIO, by setting a ReadListener.
In the onError of the ReadListener, I am catching a SocketTimeoutException
and trying to send back an error code 408. Here is the simplified example
of what I am trying to do,
@Override
public void onError(Throwable failure) {
if(failure instanceof SocketTimeoutException) {
response.sendError(408);
request.getAsyncContext().complete();
}
}
However, Tomcat just refuses to send back the error I want and instead just
closes the connection. Am I missing something trivial or is this supposed
to be achieved in a different way?
I am using Tomcat 9.0.82 and the Http11NioEndpoint.
Has the response already been committed?
If not, a minimal (ideally a single servlet) web application that
demonstrates the issue is often the easiest way for developers to
re-create the problem.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help : Unable to write back a response error code from ReadListener#onError
AFAIK the response is not being committed.
I created a bug for this with a reproducible test case,
https://bz.apache.org/bugzilla/show_bug.cgi?id=54123
On Tue, Oct 31, 2023 at 12:49 PM Mark Thomas wrote:
>
>
> On 30/10/2023 22:25, Adwait Kumar Singh wrote:
> > Hi,
> >
> > I am using the async Servlet API and NIO, by setting a ReadListener.
> >
> > In the onError of the ReadListener, I am catching a
> SocketTimeoutException
> > and trying to send back an error code 408. Here is the simplified example
> > of what I am trying to do,
> >
> > @Override
> >> public void onError(Throwable failure) {
> >> if(failure instanceof SocketTimeoutException) {
> >> response.sendError(408);
> >> request.getAsyncContext().complete();
> >> }
> >> }
> >>
> >>
> > However, Tomcat just refuses to send back the error I want and instead
> just
> > closes the connection. Am I missing something trivial or is this supposed
> > to be achieved in a different way?
> >
> > I am using Tomcat 9.0.82 and the Http11NioEndpoint.
>
> Has the response already been committed?
>
> If not, a minimal (ideally a single servlet) web application that
> demonstrates the issue is often the easiest way for developers to
> re-create the problem.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Need Help : Unable to write back a response error code from ReadListener#onError
Sorry for the wrong bug id. This is the one I filed,
https://bz.apache.org/bugzilla/show_bug.cgi?id=68037
On Tue, Oct 31, 2023 at 3:24 PM Adwait Kumar Singh
wrote:
> AFAIK the response is not being committed.
>
> I created a bug for this with a reproducible test case,
> https://bz.apache.org/bugzilla/show_bug.cgi?id=54123
>
>
> On Tue, Oct 31, 2023 at 12:49 PM Mark Thomas wrote:
>
>>
>>
>> On 30/10/2023 22:25, Adwait Kumar Singh wrote:
>> > Hi,
>> >
>> > I am using the async Servlet API and NIO, by setting a ReadListener.
>> >
>> > In the onError of the ReadListener, I am catching a
>> SocketTimeoutException
>> > and trying to send back an error code 408. Here is the simplified
>> example
>> > of what I am trying to do,
>> >
>> > @Override
>> >> public void onError(Throwable failure) {
>> >> if(failure instanceof SocketTimeoutException) {
>> >> response.sendError(408);
>> >> request.getAsyncContext().complete();
>> >> }
>> >> }
>> >>
>> >>
>> > However, Tomcat just refuses to send back the error I want and instead
>> just
>> > closes the connection. Am I missing something trivial or is this
>> supposed
>> > to be achieved in a different way?
>> >
>> > I am using Tomcat 9.0.82 and the Http11NioEndpoint.
>>
>> Has the response already been committed?
>>
>> If not, a minimal (ideally a single servlet) web application that
>> demonstrates the issue is often the easiest way for developers to
>> re-create the problem.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
