|Summary:||SecretKeyCredentialHandler ignores key length when matching|
|Product:||Tomcat 9||Reporter:||Niklas Holm <jadedcyborg>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Niklas Holm 2016-12-06 12:27:42 UTC
Created attachment 34502 [details] Patch SecretKeyCredentialHandler does not take into account the key length of the stored credentials when matching against provided credentials, which results in a failed authentication unless the key lenght is statically defined in XML to be the same as the stored credentials. A patch that is tested with the 9.0, 8.5 and 8.0 trunks is provided with this bug report. The patch includes updated unit tests. *** Steps to Reproduce *** 1) In conf/server.xml put <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler" algorithm="PBKDF2WithHmacSHA512" /> inside the UserDatabaseRealm element. 2) generate a password digest with bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 10000 -s 8 -k 128 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD" and put inside the password attribute in conf/tomcat-users.xml for an appropiate user. 3) Launch tomcat (bin/startup.sh) and go to http://localhost:8080/manager/html 4) Provide the username of the user and the password YOUR_PASSWORD *** Actual Results *** - The user is unable to authenticate and get a 401 error *** Expected Results *** - The user authenticates and gain access to the management app *** Additional Builds and Platforms *** The bug affects all builds since the introduction of SecretKeyCredentialHandler *** Additional Information *** Putting <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler" algorithm="PBKDF2WithHmacSHA512" keyLength="128" /> inside conf/server.xml instead would enable the user to authenticate again, but then all users must use the same key lenght.
Comment 1 Mark Thomas 2016-12-12 10:43:02 UTC
Thanks for the report and the patch. A modified version of the patch was applied. The key changes were: - return a value indicating failure rather than throw an exception - correct the use of Tomcat's i18n support rather than remove it - formatting tweaks to better align with existing formatting conventions Fixed in: - trunk for 9.0.0.M16 onwards - 8.5.x for 8.5.10 onwards - 8.0.x for 8.0.40 onwards