[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: Alternate password encyption code?
From:       "Phil Steitz" <phil () steitz ! com>
Date:       2003-05-31 16:24:50
[Download RAW message or body]

Jeff Sexton wrote:
> On Thu, 29 May 2003, Raible, Matt wrote:
> 
>>Why don't you just have the JDBCRealm do it - add digest="SHA".
> 
> 
> I need something other than SHA, I need to use my own custom code for an
> encyrption method of my own that is not provided by JDBCRealm
> 
> 
>>To programmatically do it using form-based authentication, I've used a
>>LoginServlet that's mapped to "auth" in my login.jsp's form.  In this
>>servlet, I encrypt the password and redirect to "j_security_check" - is that
>>what you're looking for?
> 
> 
> Maybe.  I'll do some reading about form-based authentication.  I'm not
> sure.
> 
> I'm after this because I already have set up a JDBCRealm based system,
> with BASIC authentication, and SHA, under Tomcat for both servlets and
> cocoon stuff.  Now I want to tie this together with another application
> that encypts passwords differently from any method available in JDBCRealm.
> 
> I have the code for the encyption.  If I could simply drop this code into
> the user validation JDBCRealm does for me in Tomcat, it'd be great because
> the security would all work and I wouldn't have to create any
> user/password management pages of my own.

Based on the documentation here

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords

and a quick look at the sources here

http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src/
share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/plain

it does not look to me like you are going to be able to do this without 
hacking the JDBC Realm implementation.  The tomcat JDBC Realm 
implementation supports digested (*not* encrytped) passwords using 
java.security.MessageDigest to do the hashing.  This means that the 
hashing must be performed using one of the standard algorithms specified 
here
http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA

You are probably best off going with one of the approaches that Matt has 
outlined if you want to serve login pages from the tomcat nodes.


Phil



> 
> If I can do this, I can tie Tomcat authentication to the password system
> my company has on other systems.
> 
> Any tips are helpful!  I'm a little lost with this.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]