0

I create new users who can log into my Java EE application using Jasypt to hash the password: I use SHA-256, an 8 bytes salt, 1000 iterations and get an 80-character hexadecimal hash in the database. This is working. Here is the code:

ConfigurablePasswordEncryptor passwordEncryptor = new ConfigurablePasswordEncryptor();
SimpleDigesterConfig config = new SimpleDigesterConfig();
config.setAlgorithm( "SHA-256" );
config.setIterations( 1000 );
config.setSaltSizeBytes( 8 );
passwordEncryptor.setConfig( config );
passwordEncryptor.setPlainDigest( false );
passwordEncryptor.setStringOutputType( "hexadecimal" );
String hashedPassword = passwordEncryptor.encryptPassword( password );

Then I store it in the DB.

Now, in my DataSource Realm, I'm trying to tell Tomcat what I am doing like this:

<Realm 
        className="org.apache.catalina.realm.DataSourceRealm"
        name="monRealm"
        dataSourceName="jdbc/postgres"
        localDataSource="true"
        userTable="users" userNameCol="login" userCredCol="password"
        userRoleTable="user_roles" roleNameCol="role_name"      
        debug="99">

        <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
                      algorithm="SHA-256"
                      iterations="1000"
                      keyLength="256"
                      saltLength="8"
        />

</Realm>

In my opinion, this is the same thing. And the Realm should check the password just fine.

But I never manage to log in with the login/password I have created. It works without the hash part, so this is really the way I hash the password that is wrong. But I can't see where I missed something.

Thanks in advance for you help!

macadam
  • 31
  • 5

1 Answers1

0

You almost certainly have to massage the information coming out of your ConfigurablePasswordEncryptor.

Try running this command. You can see how Tomcat expects stored-credentials to be formatted in the user database: 

$CATALINA_BASE/bin/digest.sh -a SHA-256 -i 1000 -s 8 'test password'`
test password:d2ff2cb07d35c790$1000$13a74a8c198db73981f0a596c1e21421596afd0ca446dfb857d3c524604e8781

Note that the "test password" is hashed, but the stored credential also stores the value of the salt and the number of hash-iterations being used. If ConfigurablePasswordEncryptor does not format its output in the same way, you will need to arrange for that to happen.

There is another option: you can arrange for Tomcat to use your own credential-handling code by implementing your own CredentialHandler. Have a look at this presentation for how to write your own CredentialHandler. See slides 21-22, and 33-39. Read the whole thing, actually, but those slides should be able to get you started if you want to use the exact same code to generate and verify your stored passwords.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77