4

I am using Tomcat 7 / JDBCRealm authentication in clear text (development/controlled environment). Now I want to upload the web app to my hosted environment so I need to digest the passwords.

I added 'digest="MD5"' to the realm section in server.xml and tested with some accounts by replacing the existing clear text password with one digested using MySQL's MD5() function.

This went OK.

When I tried SHA2 ('digest="SHA2"' in server.xml, and MySQL's SHA2() function to digest passwords in the table), I kept getting login failures. I tried MySQL's SHA2(pwd,224), SHA2(pwd,256), ...384, ...515 and none worked.

My web search for tomcat JDBCRealm /digest property was not very informative.

What did I do wrong?

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
adaj21
  • 543
  • 3
  • 11
  • 25

1 Answers1

2

Look in the Tomcat logs for the message that tells you SHA-2 is not a valid algorithm. If there is no such message, please raise a Tomcat bug.

You need to use one of the following:

  • SHA-256
  • SHA-384
  • SHA-512

Obviously, you'll need to use the corresponding digest in MySQL.

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • Thanks Mark, I do not recall seeing any error on tomcat logs, but I will double check in case I missed something. Do I set digest="SHA-256" instead of digest="SHA2" in server.xml? Where are the parameters for the JDBC realm documented ? The standard html docs simply show the value for MD5 but not other digests. I googled it but came out empty-handed. – adaj21 May 01 '12 at 01:30
  • You need to use SHA-512 or one of the values I quoted above. The standard names for the supported MessageDigests are to be found in the Java documentation. http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest – Mark Thomas May 01 '12 at 07:19
  • Thanks Mark! I knew I was looking in the wrong place (tomcat documentation) – adaj21 May 02 '12 at 11:47