tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland <>
Subject Re: Implementing JDBC realm with encryption
Date Thu, 03 Jan 2002 13:06:47 GMT

> > Hello,
> > I want to implement my own JDBC realm with browser side-password
> > encryption. The idea is to hash the password together with the sessionId
> > and a random variable using SHA-1 on the browser side with Javascript. The
> > hash is then send to the server. This prevents hackers from retrieving the
> > password in plain text from the internet. Has anything like this been
> > implemented already? How do I start to implement it myself?
> >
>I think you might be confusing some concepts -- a Realm doesn't talk
>directly to a browser.  Let's divide up the transaction like this:
>   Browser   ---username/password--> Container ---username/password--> Realm
>Now, are you concerned about encrypting the Brower-->Container or the
>Container-->Realm path?  The two are completely independent of each other:

I'm concerned about encrypting the Browser-->Container path. The problem 
with my particular approach is, that I will send a Sha-1 hash from the 
browser to the container. The container will have no means to retrieve the 
original password from the hash. The means, that the Realm will only 
receive a hash of the password(and the sessionId). So the realm has to know 
this and act accordingly. In this case that means that the realm would have 
to retrieve the password from the JDBC database(assuming a JDBC realm here) 
hash it with the actual sessionId from the requesting user and compare the 
received hash with the produced hash to see if they match. So the realm has 
to be changed accordingly knowing that it won't receive a plain text password.

>* For Browser->Container, the best thing to do is use
>   DIGEST (if your browser supports it) or CLIENT-CERT
>   authentication.  In those cases, the password that
>   goes across the wire is already encrypted for you.

Thats fine, but AFAIK those two methods suppose some underlying technologie 
like SSL. But what if SSL is not available? My idea is to provide an 
ecryption that is independent of any underlying technologie. The generation 
of the hash on the browser would just be a little javascript(already 
implemented). The only thing to change would be on the Container/Realm side 
to be able to process the generated SHA-1 hash correctly.

>* For Container-->Realm, the existing Realm implementations
>   have the ability to store the password in an encrypted
>   form (rather than clear-text).  See the server configuration
>   documentation about realms - in particular the "digest"
>   attribute.

I knew that, but my point is really to encrypt the password at the browser, 
so that it doesn't get sent over the internet in plain text format.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message