tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gabriel E. Sánchez Martínez" <>
Subject support for salted passwords
Date Sun, 02 Feb 2014 07:23:35 GMT
Hi developers,

I am very new to Tomcat but am already getting my feet wet with a web 
application.  A requirement for this application is form-based password 
authentication, and I would like to store passwords in a database using 
salted SHA-512 digests, recognizing that this is not state-of-the-art 
password protection, but it is a more secure method than unsalted 
digests in the event that the password table is compromised.

I saw that Tomcat doesn't support this out of the box, so I am wondering 
if there is any interest in changing that.  I wrote a custom Realm by 
extending DataSourceRealm and overriding the few necessary methods.  
This realm, which I've called SaltedDataSourceRealm, reads three 
database columns (username, salt, password).  It doesn't assume a 
fixed-length salt, and it works with any supported digest algorithms.  
It took me quite a while to figure everything out because the 
documentation I found online isn't clear enough to a beginner, and some 
forum posts refer to very old versions of Tomcat.  I would be willing to 
contribute an example of how to implement this custom realm to the 
Tomcat documentation if there is interest.

Anyway, I tested the custom realm and it seems to be working as 
intended.  I went ahead and checked out the Tomcat 8 code and wrote the 
class where it would go, and I am attaching the java file of that class 
in case there is interest in considering an implementation like it in 
future versions of Tomcat.  (I've hard-coded the length of the salt, but 
that should be changed to make it an argument of the XML file.)

After working a bit with the realms code I get the impression that it 
could be cleaned up a bit.  I think it would be good to move several 
methods away from RealmBase so that no code there implements any 
specific authentication logic or makes assumptions about 
authentication.  And I think it would be good for users to have the 
option of using salts with the other password-based realms too.  I'm not 
sure that I have the experience required to do those changes, and I 
certainly won't work on it without first hearing back from you.

This is my first message to the Tomcat developer community.  All your 
comments will be appreciated.


View raw message