tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gardner, David [IT]" <David.Gard...@citigroup.com>
Subject RE: JDBC Realm
Date Tue, 28 Oct 2003 23:37:42 GMT
Hello,

Please let me explain a little more. It is the password that the JDBC realm
uses to connect to the database that should be encrypted for example
connectionPassword="foobar" should look something like
connectionPassword="3dc69416b0783cac9f3dda37b6bb0862". I have been able to
deal with user passwords fine using MD5. We have a policy of no developer
access to production and staging environments. Thus any passwords in
configuration files such as the server.xml require encryption. However I
have since created a solution.

I have created my own class that extends
org.apache.catalina.realm.RealmBase. It works in a similar way to the tomcat
JDBCRealm. I made it available in the tomcat server classpath under
server/lib. I have configured server.xml like..

           <Realm  className="com.foo.bar.MyJDBCRealm" debug="99"
	     connectionName="FooBar" 
	     userTable="User" userNameCol="userName" userCredCol="password"
             userRoleTable="UserRole" roleNameCol="roleName" digest="MD5"/>

The connectionName="FooBar" uses a JDBC connection pool I have written that
supports password encryption. Hence I no longer have clear text passwords in
my config file server.xml.

In fact maybe this raises a point that it appears that all passwords in
config files for tomcat are clear text. For example by looking at the doco
for JNDI data sources the configs for JDBC connection pooling using DBCP
also have clear text passwords. See ..

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jndi-datasource-examples-how
to.html


-----Original Message-----
From: Andoni [mailto:andoni@indigo.ie]
Sent: Wednesday, 29 October 2003 1:28 AM
To: Tomcat Users List
Subject: Re: JDBC Realm 


Can you please explain this a little better.

You have in your database a list of all your user's passwords encrypted
using MD5.  Do you also have a clear text copy of them?  Then you want to
encrypt this clear text copy for use in your configuration files?

If you don't already have a cleartext copy of the passwords you are going to
have to get your users to submit them as your MD5 version is useless.  You
could amend your application to read the password, store it in the clear,
then compare it using MD5.  Then as they all log in they will have given you
a copy of their password.

Andoni.

----- Original Message -----
From: "Gardner, David [IT]" <David.Gardner@citigroup.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Tuesday, October 28, 2003 3:15 AM
Subject: JDBC Realm


> I have a JDBC Realm configured against a sybase database and it works
fine.
> See below I have changed the details for obvious security reasons.
>
>            <Realm  className="org.apache.catalina.realm.JDBCRealm"
> debug="99"
>      driverName="com.sybase.jdbc2.jdbc.SybDriver"
>      connectionURL="jdbc:sybase:Tds:foo.au.bar.com:666/foo_bar"
>      connectionName="foobar" connectionPassword="foobar"
>      userTable="User" userNameCol="userName" userCredCol="password"
>              userRoleTable="UserRole" roleNameCol="roleName"
digest="MD5"/>
>
> I also have the user passwords encrypted using MD5 and this works fine.
> However we have a need to have all clear text passwords encrypted in
> configuration files. I need this realm to work with the connectionPassword
> value foobar encrypted. Does anyone know if this has been done and is
there
> a patch of some sort available?
>
>
>
> David Gardner
> Software Developer
> Cititech
> Level 11, 2 Park Street
> Sydney NSW Australia 2000
>
> Phone: (+612) 8225 4803
> Fax: (+612) 8225
> Email: david.gardner@citigroup.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message