How to configure MySQL as Tomcat 9 realm for user credentials

Question

I am trying to connect a MySQL user table as a realm to my Tomcat 9. The user and roles are managed in 2 tables, as you can see in the realm configuration below. The passwords are MD5-hashed and Base64-encoded.

Unfortunately, I do not get it running properly.

REALM CONFIGURATION:

<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->

<!--<Realm className="org.apache.catalina.realm.LockOutRealm"> -->
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->

        <!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>-->

                <!-- Custom realm for user database -->
                <Realm className="org.apache.catalina.realm.JDBCRealm"
                        debug="99"
                        driverName="com.mysql.cj.jdbc.Driver"
                        connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&amp;characterEncoding=UTF-8&amp;serverTimezone=UTC&amp;verifyServerCertificate=false&amp;useSSL=true&amp;requireSSL=true&amp;autoReconnect=true"
                        connectionName="MYSQLDB"
                        connectionPassword="MYSQL_PASSWORD"
                        userTable="myuser" userNameCol="username" userCredCol="password"
                        userRoleTable="myuser_roles" roleNameCol="role"/>
                        <CredentialHandler
                        className="org.apache.catalina.realm.MessageDigestCredentialHandler"
                        algorithm="{MD5}encodedCredential"
                        iterations="1"
                        saltLength="0"/>
<!-- </Realm> -->

WORKS:

When I save a password as plain text in the database and remove the CrendetialHandler from the configuration, it works. So, the database connection/configuration seems to be correct.

DOES NOT WORK:

As soon as the the password is saved hashed and encoded, it does not work anymore. I tried several CredentialHandler settings, but always getting an error, for example the latest:

WARNING [main] org.apache.tomcat.util.digester.Digester.endElement No rules found matching [Server/Service/Engine/CredentialHandler]

or

WARNING [main] org.apache.catalina.realm.CombinedRealm.setCredentialHandler A CredentialHandler was set on an instance of the CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm doesn't use a configured CredentialHandler. Is this a configuration error?

As you can see, I also tried to comment out the existing logout realm or put the CrendentialHandler into it. Nevertheless, it does not work yet.

What can I do?

Thanks in advance!

Answer 1

Your "CredentialHandler" is sitting outside of your "Realm" That may be one of your issues (you close the Realm at the end of the "roleNameCol"). I also list the algorithm in my code as simply "MD5" vs what you show. That may also be a problem.

I would fix it such as below (I explicitly close the "CredentialHandler" and the "Realm" to be more clear):

<Realm className="org.apache.catalina.realm.JDBCRealm"
    debug="99"
    driverName="com.mysql.cj.jdbc.Driver"
    connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&amp;characterEncoding=UTF-8&amp;serverTimezone=UTC&amp;verifyServerCertificate=false&amp;useSSL=true&amp;requireSSL=true&amp;autoReconnect=true"
    connectionName="MYSQLDB"
    connectionPassword="MYSQL_PASSWORD"
    userTable="myuser" userNameCol="username" userCredCol="password"
    userRoleTable="myuser_roles" roleNameCol="role">
    <CredentialHandler
        className="org.apache.catalina.realm.MessageDigestCredentialHandler"
            algorithm="{MD5}encodedCredential"
            iterations="1"
            saltLength="0">
    </CredentialHandler>
</Realm>