tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andoni List <andonil...@eurokom.ie>
Subject Re: Tomcat Realm--> pasword encryption & servlet location in a webApp
Date Thu, 05 Aug 2004 16:49:26 GMT
Encryption:

There is only one way to encrypt passwords if you are not using SSL.  That
is to use Paj's JavaScript module available here:
http://pajhome.org.uk/crypt/md5/
Although the Tomcat Realm does have an MD5 flag which you can set to encrypt
the passwords being sent to it this is too late as the passwords have
already been sent in the clear over the internet to your server.  The only
use for this is when you are accessing a server on which the passwords are
stored in MD5 encrypted format and you don't care about the network.
You may also be told that you can use a Digest login instead of a Form login
or Basic Login but again you have a problem: Digest logins are only
available in IE so if you know all your users are definitely only using IE
then go ahead, it will be doing the same job as the JavaScript i.e.
encrypting before sending down the wire.
In order to encrypt the passwords in the first place you can use Java1.4's
java.security.* package or you can use Catalina's
org.apache.catalina.realm.RealmBase which can be used at the command line
thus:

C:\>java org.apache.catalina.realm.RealmBase -a MD5 mypassword

or you can use the JavaScript.  If you have the passwords in an Oracle
Database you can also use the Oracle Function DBMS_OBFUSCATION_TOOLKIT.MD5()
by writing an oracle Function something like this:

CREATE OR REPLACE FUNCTION get_md5 (plaintext IN VARCHAR2)
RETURN VARCHAR2 IS
test VARCHAR2(16);
BEGIN
test:=DBMS_OBFUSCATION_TOOLKIT.MD5(INPUT_STRING=>plaintext);
RETURN test;
END get_md5;
/

Note: using a function like this you can create a view of the passwords
table in your database which would mean that though your passwords appear
hashed to Tomcat, they are actually still visible to you!

The servlet invoker /servlet/*
If you are adding the servlets to your web.xml file then you do not need to
use the servlet invoker anywhere and hence do not need to call it using
/servlet/.
Whether or not you add the servlets to the same package is a programming
decision which has to do with what the servlets do and whether they do the
same thing as the other classes in that package.  This has no bearing on the
administrative decisions of how to keep the server secure.

Hope that all helps.

Andoni.

----- Original Message ----- 
From: "Ben Bookey" <ben.bookey@gistec-online.de>
To: "Tomcat User List" <tomcat-user@jakarta.apache.org>
Sent: Thursday, August 05, 2004 9:02 AM
Subject: Tomcat Realm--> pasword encryption & servlet location in a webApp


> Dear list,
>
> 2 questions
>
> 1) I think I remember reading somewhere that there was a .bat batch file
> which we could run
> on production machines, so that passwords are encrypted. Can anyone
> enlighten ?
>
> 2) Whats the best configuration mechanism for my servlets? I think its
> better to add the
> the servlets to my com.mycompany.myapp package (or?), BUT, is it a
security
> flaw when
> I set in my app, the <url-pattern> begininning with /servlet/* (see below
> example). I again have read that the
> servlet url-pattern should not begin with /servlet
>
>  <servlet-mapping>
>     <servlet-name>servletName</servlet-name>
>     <url-pattern>/servlet/servletName</url-pattern>
>   </servlet-mapping>
>
> regards.
>
> Ben


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message