tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Mixon (qwest)" <rnmi...@qwest.net>
Subject RE: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords
Date Sun, 27 Feb 2005 17:01:55 GMT
Edmon,

I am not sure if I understand, but perhaps you should tak a look at Matt
Raible's Appfuse application framework at: https://appfuse.dev.java.net/

His solution uses:
 - SSL (optional of course, just a servlet parameter);
 - Container Managed Authentication;
 - a custom login servlet that encrypts the passwords (SHA is the
default, but algorithm can vary);
 - username and password stored in a database (the password is encrypted
using SHA).

The only exposure of the passwords might be in your web server "access"
logs. If that too is a concern, you could also take a look at trying to
do SHA encryption of the password on the client web browser using
Javascript - not sure if that's feasible or not. The login servlet would
then need to be adjusted appropriately (i.e. it would not need to do the
SHA encryption).

HTH - Richard

Edmon Begoli wrote:
> Hi,
>
> I an using Tomcat 5.5.7, and I am planning on upgrading as needed.
>
> As we all know Tomcat enables me to configure JDBC resources
> that my app can use through the JNDI. My problem is that these
> passwords have to be stored as a plain text
> which is a very bitter pill in my environment.
>
> What is the Tomcat class that reads in those plain text values?
>
> I would like to override this behavior and to enable this class to
> read digests/encrypted passwords.
> I would also contribute this code to Tomcat code base if desired.
>
> Please advise,
> Edmon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message