tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Netscape Directory Server vs JNDIRealm (password woes)
Date Fri, 28 Jun 2002 17:56:09 GMT
I am using Netscape Directory Server and was unable to get it to work 
with the JNDIRealm (because of password formats). I finally hacked a 
solution together but was wondering if there were better suggestions.

Quick background:

in JNDIRealm.compareCredentials(): (4.0.X and its seems 4.1.X also has 
this issue)
  if (hasMessageDigest()) {
      // Hex hashes should be compared case-insensitive
      validated = (digest(credentials).equalsIgnoreCase(password));
  } else
      validated = (digest(credentials).equals(password));

credentials is the password as entered by the user (still in plaintext). 
password is the value returned from LDAP. The password is digested via 
SHA1 coming out of LDAP.

The Problem:
digest() will use SHA1 but convert the string to a hex string. Coming 
out of Netscape - I am getting {SHA1} followed by the password in Base64 
encoding. Actually, I believe if the password is not cleartext, the 
password will be preceded by {ALGORTHM} but I cannot confirm that from 
the any kind of documenation.

In my hack, I have this code instead:
if (hasMessageDigest()) {
     //iPlant crap - is encoded base64 and crapified
     //Assuming SHA1  - and server.xml told this
     if (password.startsWith("{")) {
         password = password.substring(5);
         String b64 = new 
         validated = (b64.equals(password));
     } else {
         // Hex hashes should be compared case-insensitive
         validated = (digest(credentials).equalsIgnoreCase(password));
} else {
     validated = (digest(credentials).equals(password));

I really don't like the code above either, and was wondering if anyone 
else had a better idea? Whatever solution occurs may also have an effect 
on I am willing to code any solution if a good one is 

Tim Funk

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message