Tomcat Servlet 安全性
我正在考虑 servlet 的 tomcat 安全性。在我的 server.xml 中,我有
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA"/>
的 tomcat-users.xml
<user username="zenon" password="qazxsw" roles="proby"/>
<user username="andrzej" password="1c29cf0ceb89afce131e27b76c18af1e9cf7f5e3" roles="admin-gui,manager-gui,proby,role1"/>
非常简单的应用程序
<security-constraint>
<display-name>No Pasaran</display-name>
<web-resource-collection>
<web-resource-name>Tylko dla memberow</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>proby</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
web.xml ,因此当 auth-method 是 BASIC 时,我可以使用用户名:andrzej 和密码:qazxsw 登录(andrzej 的这个长密码是 SHA qazxsw)所以看来现在当我发送密码时他已经在比较之前消化它了。 我认为是这样,因为当我使用 DIGEST 作为身份验证方法时,我无法登录,他在比较密码之前是否会消化密码两次? 如果是,除了 https 之外还有其他方法可以在容器级别保护此类内容吗?
I am toying with tomcat security for servlets. In my server.xml I have
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA"/>
and in my tomcat-users.xml
<user username="zenon" password="qazxsw" roles="proby"/>
<user username="andrzej" password="1c29cf0ceb89afce131e27b76c18af1e9cf7f5e3" roles="admin-gui,manager-gui,proby,role1"/>
web.xml of very simple application
<security-constraint>
<display-name>No Pasaran</display-name>
<web-resource-collection>
<web-resource-name>Tylko dla memberow</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>proby</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
so when auth-method is BASIC I can log in with username:andrzej and password:qazxsw (this long password of andrzej is SHA of qazxsw) so it seems that now when I send password he already is digesting it before comparing.
I think so because when i use DIGEST as auth-method I can't log in, is he digesting password twice before comparing it?
If yes is there any other way then https to secure such things on container level?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,HTTP DIGEST 不使用 SHA,不幸的是,它使用 MD5。您需要在
server.xml中定义的领域以及用于生成密码摘要的命令行中将 SHA 替换为 MD5。然后,按照 Tomcat 文档 的建议,以防您的领域密码BASIC 和 DIGEST 身份验证机制生成密码的方式不同。因此,您不可能使用相同的密码摘要来测试 BASIC 和 DIGEST 方法。
如果是 BASIC,则可以使用以下命令生成密码摘要:
如果是 DIGEST,则为:
First of all HTTP DIGEST doesn't use SHA, it uses MD5, unfortunately. You will need to replace SHA with MD5 in both your Realm defined in
server.xmland in the command line you use to generate password digests.Then, as Tomcat documentation suggests in case your realm passwords are digested the ways to generate passwords for BASIC and DIGEST auth mechanisms are different. So you can't possibly use the same password digest to test both BASIC and DIGEST methods.
In case of BASIC you generate password digest with this:
and in case of DIGEST it is: