tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Implementing JDBC realm with encryption
Date Thu, 27 Dec 2001 18:23:03 GMT


On Thu, 27 Dec 2001, Roland wrote:

> Date: Thu, 27 Dec 2001 12:52:08 -0200
> From: Roland <roland@netquant.com.br>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: tomcat-dev@jakarta.apache.org
> Subject: Implementing JDBC realm with encryption
>
> Hello,
> I want to implement my own JDBC realm with browser side-password
> encryption. The idea is to hash the password together with the sessionId
> and a random variable using SHA-1 on the browser side with Javascript. The
> hash is then send to the server. This prevents hackers from retrieving the
> password in plain text from the internet. Has anything like this been
> implemented already? How do I start to implement it myself?
>

I think you might be confusing some concepts -- a Realm doesn't talk
directly to a browser.  Let's divide up the transaction like this:


  Browser   ---username/password--> Container ---username/password--> Realm


Now, are you concerned about encrypting the Brower-->Container or the
Container-->Realm path?  The two are completely independent of each other:

* For Browser->Container, the best thing to do is use
  DIGEST (if your browser supports it) or CLIENT-CERT
  authentication.  In those cases, the password that
  goes across the wire is already encrypted for you.

* For Container-->Realm, the existing Realm implementations
  have the ability to store the password in an encrypted
  form (rather than clear-text).  See the server configuration
  documentation about realms - in particular the "digest"
  attribute.

> Thanks, Roland
>

Craig McClanahan


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message