Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 61419 invoked from network); 7 Oct 2004 22:30:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 7 Oct 2004 22:30:02 -0000 Received: (qmail 26687 invoked by uid 500); 7 Oct 2004 22:29:45 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 26598 invoked by uid 500); 7 Oct 2004 22:29:45 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 26573 invoked by uid 99); 7 Oct 2004 22:29:44 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [192.18.33.10] (HELO exchange.sun.com) (192.18.33.10) by apache.org (qpsmtpd/0.28) with SMTP; Thu, 07 Oct 2004 15:29:44 -0700 Received: (qmail 28873 invoked by uid 50); 7 Oct 2004 22:31:39 -0000 Date: 7 Oct 2004 22:31:39 -0000 Message-ID: <20041007223139.28872.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Cc: Subject: DO NOT REPLY [Bug 31592] New: - storage format of digested realm passwords depends on default charset X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=31592 storage format of digested realm passwords depends on default charset Summary: storage format of digested realm passwords depends on default charset Product: Tomcat 5 Version: 5.0.0 Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: Other Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: hontvari3@solware.com The documentation specifies the digest algorithms which can be used to avoid storing plain text passwords. Unfortunately passwords are strings and the input of digest algorithms are bytes, but the conversion between the two - the charset encoding to be used - is not specified. Looking at the source of org.apache.tomcat.modules.aaa.RealmBase it turns out that it uses the system default charset encoding, which is usually a bad idea for a server software. E.g. moving the server to another machine or using a second server with different locale renders the user database invalid. The best solution would be to explicitly specify an encoding, e.g. UTF-8. But at this moment this may break existing configurations. Another solution is to add an additional parameter to each realm implementation and the command line utility, in which the administrator can specify the encoding. The default of this parameter must be "encode using the platform's default charset", in order to not break compatiblity. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org