Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Trying to log in to Tomcat manager using hashed password.

 
Ranch Hand
Posts: 434
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've my tomcat-users.xml defined this way:



And I've generated the hash like this from my bin directory :



When I login to Tomcat Manager (tomcat 9.0.78) on Windows using TomcatJackAdmin and test, it works fine. But I'm trying to use the encrypted user, "jack" and the "password" for which hash exists above. It doesn't work. Is there an additiona steps I need to fix above issue?
 
Saloon Keeper
Posts: 27926
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So when you see the login form, you type "jack" in the userid box and "4f60ef32b9f4cf8a30d85167c9575e627d1f03845575a620ff5654b85eb29add$1$15a54860775edfab43b7010aed9ca814c6647f5b1c07253cbcdac7dc80e07833ee9ae5392aac0b7ba96760100a1462dcc51ed91cb8c4768bba1de77193f0ad57" in the password box?

Because otherwise who's going to handle the crptography? Tomcat won't.
 
Jack Tauson
Ranch Hand
Posts: 434
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:So when you see the login form, you type "jack" in the userid box and "4f60ef32b9f4cf8a30d85167c9575e627d1f03845575a620ff5654b85eb29add$1$15a54860775edfab43b7010aed9ca814c6647f5b1c07253cbcdac7dc80e07833ee9ae5392aac0b7ba96760100a1462dcc51ed91cb8c4768bba1de77193f0ad57" in the password box?

Because otherwise who's going to handle the crptography? Tomcat won't.



No, I am typing "password" for password but storing it as a hash in tomcat-users.xml. How to handle this if tomcat won't handle this?
 
Tim Holloway
Saloon Keeper
Posts: 27926
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You cannot. Besides, there's more than one encryption algorithm in the world, so even if this particular Realm supported such a feature you'd need to make sure it was configured for it.

Tomcat doesn't need encrypted passwords. Tomcat goes to great lengths to ensure that when you type in a password, it isn't going to be visible to anything but the Tomcat login service, which is quite secure. Tomcat NEVER fetches a passsword, only submits it to a Realm for the Realm to check. And Realms don't fetch passwords either, if they can help it.

The main case where you'd have an encrypted password in Tomcat is if the userid/password was stored in an external database. In which case, you'd encrypt the password IN THE DATABASE, and the Realm would have to do a query in the form "SELECT COUNT(*) FROM users WHERE user_id=? AND ENCRYPT(password) =?". In which case, the actual encryption and checking would be done entirely within the database server, not in Tomcat. You would typically use an encrypted (SSL-style) channel from Tomcat to the database server to avoid network snoops.

Encrypting the password in the database means that even if someone queried the database outside of Tomcat, they wouldn't be able to retrieve the password in a form that Tomcat would match in its Realm processes.

Again, the tomcat-users.xml file isn't really intended for serious production use, so it is not encrypted. Its protection is managed via the OS file-level protections. Which is to say that only the OS "tomcat" user should have the ability to read or write it.
 
Jack Tauson
Ranch Hand
Posts: 434
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:You cannot. Besides, there's more than one encryption algorithm in the world, so even if this particular Realm supported such a feature you'd need to make sure it was configured for it.

Tomcat doesn't need encrypted passwords. Tomcat goes to great lengths to ensure that when you type in a password, it isn't going to be visible to anything but the Tomcat login service, which is quite secure. Tomcat NEVER fetches a passsword, only submits it to a Realm for the Realm to check. And Realms don't fetch passwords either, if they can help it.

The main case where you'd have an encrypted password in Tomcat is if the userid/password was stored in an external database. In which case, you'd encrypt the password IN THE DATABASE, and the Realm would have to do a query in the form "SELECT COUNT(*) FROM users WHERE user_id=? AND ENCRYPT(password) =?". In which case, the actual encryption and checking would be done entirely within the database server, not in Tomcat. You would typically use an encrypted (SSL-style) channel from Tomcat to the database server to avoid network snoops.

Encrypting the password in the database means that even if someone queried the database outside of Tomcat, they wouldn't be able to retrieve the password in a form that Tomcat would match in its Realm processes.

Again, the tomcat-users.xml file isn't really intended for serious production use, so it is not encrypted. Its protection is managed via the OS file-level protections. Which is to say that only the OS "tomcat" user should have the ability to read or write it.



Hmm, one username and password in my production tomcat has this thing working already and I'm having issues in figuring out why adding an additional user and password with SHA512 hash is not logging that user. Not sure from where to start to figure out how existing case works.
 
Tim Holloway
Saloon Keeper
Posts: 27926
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As I said. Tomcat doesn't want anything to do with your hashed/encrypted passwords. It wants the tomcat-users.xml file to keep passwords in plain text and that's it.

Also, please don't quote me in entirety. It's redundant and wastes space.
 
Ranch Hand
Posts: 195
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim, what about jdbc passwords stored in conf/Catalina/localhost/MyDb.xml?

 
Tim Holloway
Saloon Keeper
Posts: 27926
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thomas Griffith wrote:Tim, what about jdbc passwords stored in conf/Catalina/localhost/MyDb.xml?



That file should be describing a webapp accessable from http://localhost:8080/MyDb. The Resource defines something that Tomcat will store in that webapp's JNDI dictionary. Typically it would also specify type="javax.sql.DataSource", which would define a Datasource Connection Pool that the webapp would use. It has no direct connection to Tomcat security.

Tomcat's security is managed by plugins to Tomcat itself and not to the webapp. The security modules are called Realms and there are a specific set of APIs (Interfaces( that define Realms so that Tomcat knows how to talk to them.

The most important method a Realm module presents is the authenticate() method. This is an overloaded method from org.apache.catalina.realm.RealmBase, but the most common invocation is for Tomcat to pass 2 arguments that it obtains from the LoginForm or dialog: juserid and jpassword. These arguments are always cleaf-text strings, never encrypted. Tomcat assumes your client login was done via SSL. it trusts its own internal security, so there's no need for encryption there.

If the Realm talks to an external data repository (most do), it is up the the Realm implementation as to whether or not to use encryption at that point. For the JDBC Realm, you can provide a JDBC query such as "SELECT COUNT(*) FROM my_user WHERE user_id = ? AND password = CRYPT(?)". And/or use an encrypted network connection to the JDBC server.

As I've said before, the tomcat-users.xml file is not intended for production use, so it doesn't make any provision for encryption. Since it's typically stored in the Tomcat directory tree, it's as secure — or not — as the rest of Tomcat.
 
Clowns were never meant to be THAT big! We must destroy it with this tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/t/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic