Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10054

Tomcat: Support CredentialHandler Elements In tomcat::config::server::realm

    XMLWordPrintable

Details

    • New Feature
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • tomcat
    • None
      • Tomcat module: 3.1.0
      • PE 2019.1.0
      • Oracle Linux 7 on PE Master and Agent
    • Needs Assessment

    Description

      It appears the "digest" attribute of Realm elements was deprecated in Tomcat 8.0 and removed in Tomcat 8.5. If a user wants to use digested passwords in their conf/tomcat-users.xml in Tomcat 8.5+, they need to create a CredentialHandler element inside the Realm element, with attributes set to match how the passwords in that file were digested. The tomcat::config::server::realm resource supports setting additional attributes on the Realm element, but does not seem to support additional child XML elements. It would be nice if it did, or at least had a limited mechanism for supporting digested passwords in Tomcat 8.5+.

      As a workaround, I ended up with the following tomcat::config::server::realm and Augeas resource definitions. It's very much a workaround; hopefully more seasoned module contributors can arrive at a more robust and flexible solution.

           tomcat::config::server::realm { 'tomcat local users for tomcat 8+':
             class_name            => 'org.apache.catalina.realm.UserDatabaseRealm',
             parent_realm          => 'org.apache.catalina.realm.LockOutRealm',
             additional_attributes => {
               'resourceName' => 'UserDatabase',
             },
             before                => Augeas['CredentialHandler for Tomcat 8+ UserDatabaseRealm'],
           }
           augeas { 'CredentialHandler for Tomcat 8+ UserDatabaseRealm':
             incl    => "${tomcat_catalina_home}/conf/server.xml",
             lens    => 'Xml.lns',
             changes => [
               'set //Realm[#attribute/puppetName="tomcat local users for tomcat 8+"]/CredentialHandler/#attribute/className "org.apache.catalina.realm.MessageDigestCredentialHandler"',
               'set //Realm[#attribute/puppetName="tomcat local users for tomcat 8+"]/CredentialHandler/#attribute/algorithm "SHA-512"',
             ],
           }
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            warden David Warden
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Zendesk Support