tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arkin <>
Subject Re: more stuff on JAAS
Date Sun, 16 Apr 2000 01:57:46 GMT
> More importantly (and personnally, scary) is that it retrieves the
> password from the server and compares it in the client. And it can
> only compare the password if the password is stored in UNIX crypt
> format. While a lot of LDAP servers out there do have their
> passwords stored this way, a lot of them don't and instead encrypt
> them with SHA-1.

Half true. It can only retrieve a password if the password is readable.
Most LDAP servers do not make the password readable unless you
authenticate as the user, in which case, what's the point of checking
the password?

The compare method has been introduced to allow the server to compare
the password on the server side for that reason.

> Thus to really benefit from JAAS/JNDI we'd need a new module.
> While that shouldn't be too tough to do, someone has to do it. :)
> I'm not sure if I'm looking for comments here, but I thought I'd at
> least put it on the list for history.

Anyway, as Craig pointed out there are two issues there:

* The JAAS implementation you can download from Sun only works on 1.3
due to bug, and they are reluctant to fix it. I heard that IBM will be
shipping JAAS support in their 1.2 JDK, when it comes around.

* The LDAP login module requires an LDAP service provider. The one from
Sun is closed source and subject to license restrictions. The one from
Mozilla creates a dependency that the Apache people do not like.

We have in the past proposed to contribute an LDAP login module for
Tomcat, which we have working for a few weeks now, open source. However,
we made the decision to temporarily not use JAAS (until the 1.2 issue is
resolved) and to use the Mozilla Directory SDK (super stable, connection
pooling, error checking, etc) and not Sun's JNDI provider, which puts it
at a conflict with Jakarta policies.


> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Assaf Arkin                                 
CTO, Exoffice Technologies, Inc.              

View raw message