• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Undefined behaviour with Credential Handler

 
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Okay is if I have stored my password in my DB with SHA256 encryption, can the credential handler declared in the realm work if the it is declared with SHA512 ?

As far as I know it must be same algorithm, salt and iterations for the hash to be matched perfectly.

Now take my case-:



Okay this my credential handler that I am using. In my DB the password is stored using PBEWITHHMACSHA384ANDAES_256. A completely different algorithm that the one specified before. So how come when I put in my user-id and password on my form-login page I am not getting an authentication error instead I am being forwarded to the protected resource.

It should use the algorithm in the CredentialHandler to mutate the password. Now don't tell me that two different algorithms offer the same hash.

What is going on here ?
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could you show the full Realm configuration that you are using?
 
Sreyan Chakravarty
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Could you show the full Realm configuration that you are using?



 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have you verified that the default values for keyLength, iterations and saltLength are correct for your encryption scheme?

Have you verified that there is a PBEWITHMD5ANDTRIPLEDES module installed in the JVM?

Are you setting up things in the form salt$iterationCount$encodedCredential?

And finally, is it really necessary to use such an esoteric encryption scheme instead of one of the more common ones? I didn't think that DES was considered very secure in any form these days.
 
Sreyan Chakravarty
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Have you verified that the default values for keyLength, iterations and saltLength are correct for your encryption scheme?

Have you verified that there is a PBEWITHMD5ANDTRIPLEDES module installed in the JVM?

Are you setting up things in the form salt$iterationCount$encodedCredential?

And finally, is it really necessary to use such an esoteric encryption scheme instead of one of the more common ones? I didn't think that DES was considered very secure in any form these days.



Yup all the above are verified. And I am using DES just as an example I am obviously not going to use it in production. Can you see anything wrong in my configuration ?
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One of the problems with getting free support is that unless it's something I already know or can easily pull out of docs from the same sources as you can, it's too much work for me to do for free.

Unfortunately, this is one of those cases. I normally use the common MD5 encryption, and that's handled by the default mechanisms, so I have had no need to learn the more obscure options.

I can tell you that if my employer required that I go the more complex route that I'd pull the Tomcat source code, do a build and put a breakpoint on the failing instruction to try and see where things were wrong - assuming that I had what I thought were the correct parameters. If you want to try doing that yourself, I can help you in setting up a debugging environment. Actually making sense of it would be mostly up to you.
 
Sreyan Chakravarty
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:One of the problems with getting free support is that unless it's something I already know or can easily pull out of docs from the same sources as you can, it's too much work for me to do for free.

Unfortunately, this is one of those cases. I normally use the common MD5 encryption, and that's handled by the default mechanisms, so I have had no need to learn the more obscure options.

I can tell you that if my employer required that I go the more complex route that I'd pull the Tomcat source code, do a build and put a breakpoint on the failing instruction to try and see where things were wrong - assuming that I had what I thought were the correct parameters. If you want to try doing that yourself, I can help you in setting up a debugging environment. Actually making sense of it would be mostly up to you.



I already have the source code. Now I need your help on how to set up the debugging environment. How do you do that ?
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The easiest way is with an IDE. Import the Tomcat source code in as a project, run the Tomcat build scripts, configure the resulting copy of Tomcat like you were doing with the prebuilt copy, then launch it using the IDE's "Remote Application" debugging feature. Set breakpoints as desired.
 
Sreyan Chakravarty
Ranch Hand
Posts: 66
MyEclipse IDE Firefox Browser Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:The easiest way is with an IDE. Import the Tomcat source code in as a project, run the Tomcat build scripts, configure the resulting copy of Tomcat like you were doing with the prebuilt copy, then launch it using the IDE's "Remote Application" debugging feature. Set breakpoints as desired.



I wish it were as simple as you make it sound.
reply
    Bookmark Topic Watch Topic
  • New Topic