Bug 60446 - SecretKeyCredentialHandler ignores key length when matching
Summary: SecretKeyCredentialHandler ignores key length when matching
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.0.M13
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-12-06 12:27 UTC by Niklas Holm
Modified: 2016-12-12 10:43 UTC (History)
0 users

Patch (8.08 KB, patch)
2016-12-06 12:27 UTC, Niklas Holm
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Niklas Holm 2016-12-06 12:27:42 UTC
Created attachment 34502 [details]

SecretKeyCredentialHandler does not take into account the key length of the stored credentials when matching against provided credentials, which results in a failed authentication unless the key lenght is statically defined in XML to be the same as the stored credentials. A patch that is tested with the 9.0, 8.5 and 8.0 trunks is provided with this bug report. The patch includes updated unit tests.

*** Steps to Reproduce ***

1) In conf/server.xml put

  algorithm="PBKDF2WithHmacSHA512" />

inside the UserDatabaseRealm element.

2) generate a password digest with

bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 10000 -s 8 -k 128 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

and put inside the password attribute in conf/tomcat-users.xml for an appropiate user.

3) Launch tomcat (bin/startup.sh) and go to http://localhost:8080/manager/html

4) Provide the username of the user and the password YOUR_PASSWORD

*** Actual Results ***

- The user is unable to authenticate and get a 401 error

*** Expected Results ***

- The user authenticates and gain access to the management app

*** Additional Builds and Platforms ***

The bug affects all builds since the introduction of SecretKeyCredentialHandler

*** Additional Information ***

  keyLength="128" />

inside conf/server.xml instead would enable the user to authenticate again, but then all users must use the same key lenght.
Comment 1 Mark Thomas 2016-12-12 10:43:02 UTC
Thanks for the report and the patch.

A modified version of the patch was applied. The key changes were:
- return a value indicating failure rather than throw an exception
- correct the use of Tomcat's i18n support rather than remove it
- formatting tweaks to better align with existing formatting conventions

Fixed in:
- trunk for 9.0.0.M16 onwards
- 8.5.x for 8.5.10 onwards
- 8.0.x for 8.0.40 onwards