tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gabriel E. Sánchez Martínez" <gabrielesanc...@gmail.com>
Subject support for salted passwords
Date Sun, 02 Feb 2014 07:23:35 GMT
Hi developers,

I am very new to Tomcat but am already getting my feet wet with a web 
application.  A requirement for this application is form-based password 
authentication, and I would like to store passwords in a database using 
salted SHA-512 digests, recognizing that this is not state-of-the-art 
password protection, but it is a more secure method than unsalted 
digests in the event that the password table is compromised.

I saw that Tomcat doesn't support this out of the box, so I am wondering 
if there is any interest in changing that.  I wrote a custom Realm by 
extending DataSourceRealm and overriding the few necessary methods.  
This realm, which I've called SaltedDataSourceRealm, reads three 
database columns (username, salt, password).  It doesn't assume a 
fixed-length salt, and it works with any supported digest algorithms.  
It took me quite a while to figure everything out because the 
documentation I found online isn't clear enough to a beginner, and some 
forum posts refer to very old versions of Tomcat.  I would be willing to 
contribute an example of how to implement this custom realm to the 
Tomcat documentation if there is interest.

Anyway, I tested the custom realm and it seems to be working as 
intended.  I went ahead and checked out the Tomcat 8 code and wrote the 
class where it would go, and I am attaching the java file of that class 
in case there is interest in considering an implementation like it in 
future versions of Tomcat.  (I've hard-coded the length of the salt, but 
that should be changed to make it an argument of the XML file.)

After working a bit with the realms code I get the impression that it 
could be cleaned up a bit.  I think it would be good to move several 
methods away from RealmBase so that no code there implements any 
specific authentication logic or makes assumptions about 
authentication.  And I think it would be good for users to have the 
option of using salts with the other password-based realms too.  I'm not 
sure that I have the experience required to do those changes, and I 
certainly won't work on it without first hearing back from you.

This is my first message to the Tomcat developer community.  All your 
comments will be appreciated.

Regards,
Gabriel

Mime
View raw message