tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Salek Talangi" <sa...@gmx.ch>
Subject Tomcat + j_security_check (JDBCRealm) + salt / jBCrypt
Date Mon, 20 Aug 2012 19:31:38 GMT
Hi all,

I just started using Tomcat+j_security_check (JDBCRealm) for Form-based Webapp-Login.
I read [1] that only a few standard (MD5, SHA-1, MD2?) java.security.MessageDigest methods
are supported, which isn't enough in times of (still) weak passwords and GPU brute force attacks
on DB-dumps.

What I'd like to know is if it is planned to do either of the following in the near future:

I) Adding a optional "salt" column that is used by j_security_check and adding support for
SHA-2 (SHA-256, SHA-512)?
II) Integrating a pluggable digest system which allows the use of jBCrypt [2]

At least the salt-part of "I" should be very easy to implement, most likely in org.apache.catalina.authenticator.FormAuthenticator?

[1] http://stackoverflow.com/questions/9881131/using-md5-and-salt-with-j-security-check
[2] http://www.mindrot.org/projects/jBCrypt/

Thanks,
Salek
-- 
Salek Talangi
Fürstenfelder Straße 9
80331 München
http://tinyurl.com/VisitSalek (google maps)

Mobil:  +49 (0) 179 74 80 365
Tel:    +49 (0) 89 121 384 79
Fax:    +49 (0) 3212 10 14 806
E-Mail: salek@gmx.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message