Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10054

Tomcat: Support CredentialHandler Elements In tomcat::config::server::realm



    • New Feature
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • tomcat
    • None
      • Tomcat module: 3.1.0
      • PE 2019.1.0
      • Oracle Linux 7 on PE Master and Agent
    • Needs Assessment


      It appears the "digest" attribute of Realm elements was deprecated in Tomcat 8.0 and removed in Tomcat 8.5. If a user wants to use digested passwords in their conf/tomcat-users.xml in Tomcat 8.5+, they need to create a CredentialHandler element inside the Realm element, with attributes set to match how the passwords in that file were digested. The tomcat::config::server::realm resource supports setting additional attributes on the Realm element, but does not seem to support additional child XML elements. It would be nice if it did, or at least had a limited mechanism for supporting digested passwords in Tomcat 8.5+.

      As a workaround, I ended up with the following tomcat::config::server::realm and Augeas resource definitions. It's very much a workaround; hopefully more seasoned module contributors can arrive at a more robust and flexible solution.

           tomcat::config::server::realm { 'tomcat local users for tomcat 8+':
             class_name            => 'org.apache.catalina.realm.UserDatabaseRealm',
             parent_realm          => 'org.apache.catalina.realm.LockOutRealm',
             additional_attributes => {
               'resourceName' => 'UserDatabase',
             before                => Augeas['CredentialHandler for Tomcat 8+ UserDatabaseRealm'],
           augeas { 'CredentialHandler for Tomcat 8+ UserDatabaseRealm':
             incl    => "${tomcat_catalina_home}/conf/server.xml",
             lens    => 'Xml.lns',
             changes => [
               'set //Realm[#attribute/puppetName="tomcat local users for tomcat 8+"]/CredentialHandler/#attribute/className "org.apache.catalina.realm.MessageDigestCredentialHandler"',
               'set //Realm[#attribute/puppetName="tomcat local users for tomcat 8+"]/CredentialHandler/#attribute/algorithm "SHA-512"',




            Unassigned Unassigned
            warden David Warden
            0 Vote for this issue
            1 Start watching this issue



              Zendesk Support