Tomcat - Understanding CredentialHandler

Question

I need to use Container Managed Security and Authentication in my latest project. And I have a couple of queries regarding how to configure a Credential Handler.

<

Answer 1

NestedCredentialHandler is for cases when you have multiple digest methods, for example you have used MessageDigest in the past but now you want to switch a more secure PBKDF2-SHA512 configuration, and don't want to make already configured passwords invalid.

For example:

This would go inside your Realm element.

SecretKeyCredentialHandler was introduced in Tomcat 8.0.15 and uses SecretKeyFactory from the javax.crypto API rather than the old method (MessageDigest) to mutate the password. SecretKeyFactory allows for better algorithms such as PBKDF2 with HMAC-SHA-512 rather than plain hash algorithms such as SHA-512. The old method is since available via MessageDigestCredentialHandler, which is equivalent of setting the digest attribute on the Realm element directly.

Please note, setting the digest attribute directly or using MessageDigestCredentialHandler without the optional iteration attribute (8.0.15+ only) will only do one iteration. This is NOT secure.

As for what algorithms are available for SecretKeyFactory, the Java Cryptography Architecture Standard Algorithm Name Documentation for JDK 8 is the best reference I could find, but it doesn't list all combinations explicitly. These were the ones I found working on my platform (Linux 3.13.0, Oracle JDK 1.8.0_111), but yours may support other combinations.

• PBKDF2WithHmacSHA1
• PBKDF2WithHmacSHA224
• PBKDF2WithHmacSHA256
• PBKDF2WithHmacSHA384
• PBKDF2WithHmacSHA512
• PBEWithMD5AndDES
• PBEWithSHA1AndDESede
• DES
• DESede