tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From obrand <>
Subject Proposal for changing RealmBase and implementations
Date Mon, 14 Jan 2002 16:57:18 GMT

I am not in the dev. mailing list but wanted some feedback first on one 
point I came across in tomcat 4.0.1

I have implemented a Security Provider and a UnixCryptDigest in order to 
treat passwords on Solaris 8 (we are using OpenLDAP and the PAM 
framework of the OS). After long research we could not find a way to 
change the passwords generation (MD5 vs Crypt on Solaris 8). So we are 
still using Crypt.
As I was designing and implementing a clean solution to add such digest, 
I am facing a problem in the RealmBase where the salt is not taken care 
of. This salt is not tied to Crypt but can be used for any algorythm.

I am proposing the following:

1) Add a getSaltSize and setSaltSize in the RealmBase class.
2) Change the JNDIRealm (and later on the DB Realm, ...) to add a few 
lines of code:
  - If there is a digest then
       - If the saltSize (n) is > 0 then extract the n first bytes from 
the encoded password, prepend it to the digest (before appending the 
clear password)
3) Add my Crypt Digest to the source tree of Tomcat 4 or just leave this 
one out. If it needs to be added, a sub-package security will make sense.

Beside this, I was wondering if someone was leading the JAAS effort in 
Tomcat 4. I have done a lot of work around it (mainly recoded the full 
framwork compliant with the 1.4 implementation) with a nice XML based 
JAAS Configuration class.

Could you send me some feedbacks on the Salt issue ? If it needs to be 
added, ... the process to follow in order to add it if needed, ....



To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message