tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Implementing JDBC realm with encryption
Date Thu, 27 Dec 2001 18:23:03 GMT

On Thu, 27 Dec 2001, Roland wrote:

> Date: Thu, 27 Dec 2001 12:52:08 -0200
> From: Roland <>
> Reply-To: Tomcat Developers List <>
> To:
> Subject: Implementing JDBC realm with encryption
> Hello,
> I want to implement my own JDBC realm with browser side-password
> encryption. The idea is to hash the password together with the sessionId
> and a random variable using SHA-1 on the browser side with Javascript. The
> hash is then send to the server. This prevents hackers from retrieving the
> password in plain text from the internet. Has anything like this been
> implemented already? How do I start to implement it myself?

I think you might be confusing some concepts -- a Realm doesn't talk
directly to a browser.  Let's divide up the transaction like this:

  Browser   ---username/password--> Container ---username/password--> Realm

Now, are you concerned about encrypting the Brower-->Container or the
Container-->Realm path?  The two are completely independent of each other:

* For Browser->Container, the best thing to do is use
  DIGEST (if your browser supports it) or CLIENT-CERT
  authentication.  In those cases, the password that
  goes across the wire is already encrypted for you.

* For Container-->Realm, the existing Realm implementations
  have the ability to store the password in an encrypted
  form (rather than clear-text).  See the server configuration
  documentation about realms - in particular the "digest"

> Thanks, Roland

Craig McClanahan

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message