tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject Re: [PATCH] encryption support in SimpleRealm.java
Date Fri, 09 Feb 2001 22:46:54 GMT
Hi Mathias,

Your patch is interesting and is resolving a clear problem.

On the other side, I would propose you create another module ( let's say
CryptedRealm ? ). SimpleRealm should remain "simple".

What's missing is the ability to store the passwords ( how do you plan to
encrypt ? a passwd tool ? ). Maybe we can add an admin page to manage
users and passwords, and then we'll have all the elements for using
crypted passwords.

I would also propose to include this new module in 3.3. 

Costin




On Fri, 9 Feb 2001, Mathias Herberts wrote:

> Hi,
> 
> I've been playing around with Tomcat 3.2.1 as we have several production
> servers using it and was concerned by the way the passwords were stored
> in tomcat-users.xml.
> 
> The included patch modifies SimplesRealm.java
> (org.apache.tomcat.request.SimpleRealm) so it can correctly manage a
> tomcat-users.xml file whose passwords are encrypted.
> 
> The method used to handle encryption is java.security.MessageDigest,
> therefore all algorithms known by this class (without the use of an
> external Provider) can be used, mainly MD5 and SHA.
> 
> All passwords in tomcat-users.xml must be encrypted using the same
> algorithm (or no algorithm if so choosen). The algorithm of choice is
> specified in the declaration of
> the SimpleRealm RequestInterceptor as follows:
> 
>       <RequestInterceptor 
>        className="org.apache.tomcat.request.SimpleRealm" 
>        debug="1" crypt="MD5" />
> 
> The SimpleRealm request interceptor then expects all tomcat-users.xml
> passwords to be
> encrypted using the specified algorithm, comparison is case insensitive
> (for the encrypted part).
> 
> If you choose not to use encryption, simply omit the crypt attribute in
> the RequestInterceptor element.
> 
> As I am not a subscriber of the tomcat-dev mailing list please CC me
> when replying to my message.
> 
> Any comment welcome about this patch.
> 
> Best regards,
> 
> Mathias Herberts.

-- 
Costin


Mime
View raw message