tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Sexton <jsex...@odshp.com>
Subject RE: Alternate password encyption code?
Date Wed, 04 Jun 2003 15:52:05 GMT

Nice!  Thanks!


Jeff Sexton
The ODS Companies
jsexton@odshp.com


On Tue, 3 Jun 2003, Extance, Paul wrote:
> We've already done this as part of the Jaffa (jaffa.sourceforge.net) open
> source project. For more details see...
>
> The Source Code @
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o
> rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEAD&content-type=text/vn
> d.viewcvs-markup
>
> The Jaffa Site @ http://jaffa.sf.net
>
> The JAR, if you want the easy way... is attached!
>
> This has been tested with most tomcat releases from 3.3a upto 4.1.24 and
> works. It supports two types of encryption signatures
>
> String xxx(String password) and
> String xxx(String password, String Userid) in case you want to use their
> user id as part of the key for the encryption
>
> You provide the class name and the method name in server.xml, and it looks
> for either method 1 or 2 and uses that to encrypt the password, before
> comparing it with the one in the database. It does not try to decrypt the
> database password, so a one way encryption algorithm can be supported.
>
> This Realm also allow you some other features like extending the where
> clause for the retrieve on user records, and the select for how to read the
> roles (incase you don't want to create additional views!)
>
> An example of how it can be used in server.xml is...
>
> <Realm
>     className          = "org.jaffa.tomcat.realm.JDBCEncryptionRealm"
>     debug              = "0"
>     driverName         = "oracle.jdbc.driver.OracleDriver"
>     connectionURL      = "jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb"
>     connectionName     = "mydbuser"
>     connectionPassword = "mydbpass"
>     userTable          = "users"
>     userNameCol        = "user_id"
>     userCredCol        = "password"
>     userClause         = "password is not null and user_status='Active'"
>     userRoleTable      = "user_roles"
>     roleNameCol        = "role_name"
>     encryptionClass    = "com.mycompany.services.Encryption"
>     encryptionMethod   = "encrypt"
> />
>
> Just make sure you but the attached JAR, and your JAR in the /server/lib
> directory, and put the database driver JAR(s) in the same place or in
> /common/lib
>
> Hope this helps...
>
> Paul Extance
>
> -----Original Message-----
> From: Phil Steitz [mailto:phil@steitz.com]
> Sent: Saturday, May 31, 2003 9:25 AM
> To: Tomcat Users List
> Subject: Re: Alternate password encyption code?
>
> Jeff Sexton wrote:
> > On Thu, 29 May 2003, Raible, Matt wrote:
> >
> >>Why don't you just have the JDBCRealm do it - add digest="SHA".
> >
> >
> > I need something other than SHA, I need to use my own custom code for an
> > encyrption method of my own that is not provided by JDBCRealm
> >
> >
> >>To programmatically do it using form-based authentication, I've used a
> >>LoginServlet that's mapped to "auth" in my login.jsp's form.  In this
> >>servlet, I encrypt the password and redirect to "j_security_check" - is
> that
> >>what you're looking for?
> >
> >
> > Maybe.  I'll do some reading about form-based authentication.  I'm not
> > sure.
> >
> > I'm after this because I already have set up a JDBCRealm based system,
> > with BASIC authentication, and SHA, under Tomcat for both servlets and
> > cocoon stuff.  Now I want to tie this together with another application
> > that encypts passwords differently from any method available in JDBCRealm.
> >
> > I have the code for the encyption.  If I could simply drop this code into
> > the user validation JDBCRealm does for me in Tomcat, it'd be great because
> > the security would all work and I wouldn't have to create any
> > user/password management pages of my own.
>
> Based on the documentation here
>
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20
> Passwords
>
> and a quick look at the sources here
>
> http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src
> /
> share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/pl
> ain
>
> it does not look to me like you are going to be able to do this without
> hacking the JDBC Realm implementation.  The tomcat JDBC Realm
> implementation supports digested (*not* encrytped) passwords using
> java.security.MessageDigest to do the hashing.  This means that the
> hashing must be performed using one of the standard algorithms specified
> here
> http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA
>
> You are probably best off going with one of the approaches that Matt has
> outlined if you want to serve login pages from the tomcat nodes.
>
>
> Phil
>
>
>
> >
> > If I can do this, I can tie Tomcat authentication to the password system
> > my company has on other systems.
> >
> > Any tips are helpful!  I'm a little lost with this.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message