tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From se...@gmx.ch
Subject Re: User-password from the HttpServletRequest
Date Thu, 03 May 2007 17:45:58 GMT
I saw, that I can get the password via the Principle: The Tomcat server has his own implementation
of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc).

I know the problem with the changing of password, but thats not the main probelm now ;-)

Does somebody know a good encryption/decryption algorithm wich works only with a password
(String)?


-------- Original-Nachricht --------
Datum: Wed, 02 May 2007 16:54:22 -0400
Von: Christopher Schultz <chris@christopherschultz.net>
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: User-password from the HttpServletRequest

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sam,
> 
> sebbo@gmx.ch wrote:
> > I'm using the password of the [authentication] to encrypt and decrypt
> > some data to a database user specific (each users own data has the
> > users password).
> 
> Uh... are you sure this is a good idea? If the user changes his or her
> password, do you re-encrypt all of their data? This doesn't seem like a
> very efficient way to store encrypted information.
> 
> My advice: randomly generate an encryption key when the account is
> created (or afterward for existing users) and encrypt /that/ with the
> user's password. Then, when the user's password is changed, you only
> have to re-encrypt the encryption/decryption key itself, instead of
> every piece of information in there.
> 
> > To get to the password must be possibly, not?
> 
> The servlet API provides no way to get the user's password. You'll have
> to do this yourself. If you need the password all the time, you could
> store it in the session during login and you'd have it available
> whenever you want.
> 
> If you use my suggestion from above, you could use the login password to
> decrypt the general encryption/decryption key and then store that in the
> session, which might be more convenient (or safer?) than storing the
> user's actual password in the session.
> 
> On second thought, the encryption key is more sensitive (at least, as
> far as your application goes) than the user's password, so perhaps the
> user's password in the session is better "just in case".
> 
> - -chris
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGOPp+9CaO5/Lv0PARAmcWAJ4t20OJWt1cm7ypLLLRm6mUtIAOZwCfZFJX
> I+XT0VE6lyijDBtb/JScUnM=
> =0QB0
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message