How to use hashed passwords with BASIC authentication in tomcat6?

2
votes

I want to use hashed passwords in tomcat-users.xml with BASIC authentication. I added digest="SHA" to realm definition. UserDatabase part is defined as this in $TOMCAT_HOME/conf/server.xml:

<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
...
<Engine>
...
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             digest="SHA"
             resourceName="UserDatabase" />  
...
</Engine>

But after restart tomcat still treats all defined in $TOMCAT_HOME/conf/tomcat-users.xml passwords as plain-text ones.

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="guest" password="e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4" roles="role1" />
</tomcat-users>

I.e. I can login with username/password guest/e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4, but not with guest/secret as it should be.

Please point me what I'm doing wrong?

1
tomcathashbasic-authenticationsha
OK, looks like something rewrites realm definition in web application, since /manager/ worked as expected. - Aleksey

1 Answers

0
votes

Your solution should work up to Tomcat 7, but starting from Tomcat 8 you have to specify the CredentialHandler section inside Realm as shown below:

Tomcat 6...7:

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             digest="sha"
             resourceName="UserDatabase" />

Tomcat 8:

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase">
           <CredentialHandler
              className="org.apache.catalina.realm.MessageDigestCredentialHandler"     
              algorithm="sha" />
      </Realm>

NB: For more secure hashing, like PBKDF2WithHmacSHA512, see this answer.