tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Mixon (qwest)" <>
Subject RE: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords
Date Sun, 27 Feb 2005 17:01:55 GMT

I am not sure if I understand, but perhaps you should tak a look at Matt
Raible's Appfuse application framework at:

His solution uses:
 - SSL (optional of course, just a servlet parameter);
 - Container Managed Authentication;
 - a custom login servlet that encrypts the passwords (SHA is the
default, but algorithm can vary);
 - username and password stored in a database (the password is encrypted
using SHA).

The only exposure of the passwords might be in your web server "access"
logs. If that too is a concern, you could also take a look at trying to
do SHA encryption of the password on the client web browser using
Javascript - not sure if that's feasible or not. The login servlet would
then need to be adjusted appropriately (i.e. it would not need to do the
SHA encryption).

HTH - Richard

Edmon Begoli wrote:
> Hi,
> I an using Tomcat 5.5.7, and I am planning on upgrading as needed.
> As we all know Tomcat enables me to configure JDBC resources
> that my app can use through the JNDI. My problem is that these
> passwords have to be stored as a plain text
> which is a very bitter pill in my environment.
> What is the Tomcat class that reads in those plain text values?
> I would like to override this behavior and to enable this class to
> read digests/encrypted passwords.
> I would also contribute this code to Tomcat code base if desired.
> Please advise,
> Edmon
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message