Bug 60446

Summary: SecretKeyCredentialHandler ignores key length when matching
Product: Tomcat 9 Reporter: Niklas Holm <jadedcyborg>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 9.0.0.M13   
Target Milestone: -----   
Hardware: All   
OS: All   
Attachments: Patch

Description Niklas Holm 2016-12-06 12:27:42 UTC 
Created attachment 34502 [details]
Patch

SecretKeyCredentialHandler does not take into account the key length of the stored credentials when matching against provided credentials, which results in a failed authentication unless the key lenght is statically defined in XML to be the same as the stored credentials. A patch that is tested with the 9.0, 8.5 and 8.0 trunks is provided with this bug report. The patch includes updated unit tests.

*** Steps to Reproduce ***

1) In conf/server.xml put

<CredentialHandler
  className="org.apache.catalina.realm.SecretKeyCredentialHandler"
  algorithm="PBKDF2WithHmacSHA512" />

inside the UserDatabaseRealm element.

2) generate a password digest with

bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 10000 -s 8 -k 128 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

and put inside the password attribute in conf/tomcat-users.xml for an appropiate user.

3) Launch tomcat (bin/startup.sh) and go to http://localhost:8080/manager/html

4) Provide the username of the user and the password YOUR_PASSWORD


*** Actual Results ***

- The user is unable to authenticate and get a 401 error


*** Expected Results ***

- The user authenticates and gain access to the management app


*** Additional Builds and Platforms ***

The bug affects all builds since the introduction of SecretKeyCredentialHandler


*** Additional Information ***
Putting

<CredentialHandler
  className="org.apache.catalina.realm.SecretKeyCredentialHandler"
  algorithm="PBKDF2WithHmacSHA512"
  keyLength="128" />

inside conf/server.xml instead would enable the user to authenticate again, but then all users must use the same key lenght.
Comment 1 Mark Thomas 2016-12-12 10:43:02 UTC 
Thanks for the report and the patch.

A modified version of the patch was applied. The key changes were:
- return a value indicating failure rather than throw an exception
- correct the use of Tomcat's i18n support rather than remove it
- formatting tweaks to better align with existing formatting conventions

Fixed in:
- trunk for 9.0.0.M16 onwards
- 8.5.x for 8.5.10 onwards
- 8.0.x for 8.0.40 onwards