tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathias Herberts <Mathias.Herbe...@iroise.net>
Subject [PATCH] encryption support in SimpleRealm.java
Date Fri, 09 Feb 2001 21:53:49 GMT
Hi,

I've been playing around with Tomcat 3.2.1 as we have several production
servers using it and was concerned by the way the passwords were stored
in tomcat-users.xml.

The included patch modifies SimplesRealm.java
(org.apache.tomcat.request.SimpleRealm) so it can correctly manage a
tomcat-users.xml file whose passwords are encrypted.

The method used to handle encryption is java.security.MessageDigest,
therefore all algorithms known by this class (without the use of an
external Provider) can be used, mainly MD5 and SHA.

All passwords in tomcat-users.xml must be encrypted using the same
algorithm (or no algorithm if so choosen). The algorithm of choice is
specified in the declaration of
the SimpleRealm RequestInterceptor as follows:

      <RequestInterceptor 
       className="org.apache.tomcat.request.SimpleRealm" 
       debug="1" crypt="MD5" />

The SimpleRealm request interceptor then expects all tomcat-users.xml
passwords to be
encrypted using the specified algorithm, comparison is case insensitive
(for the encrypted part).

If you choose not to use encryption, simply omit the crypt attribute in
the RequestInterceptor element.

As I am not a subscriber of the tomcat-dev mailing list please CC me
when replying to my message.

Any comment welcome about this patch.

Best regards,

Mathias Herberts.
Mime
View raw message