tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: User-password from the HttpServletRequest
Date Thu, 03 May 2007 17:45:58 GMT
I saw, that I can get the password via the Principle: The Tomcat server has his own implementation
of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc).

I know the problem with the changing of password, but thats not the main probelm now ;-)

Does somebody know a good encryption/decryption algorithm wich works only with a password

-------- Original-Nachricht --------
Datum: Wed, 02 May 2007 16:54:22 -0400
Von: Christopher Schultz <>
An: Tomcat Users List <>
Betreff: Re: User-password from the HttpServletRequest

> Hash: SHA1
> Sam,
> wrote:
> > I'm using the password of the [authentication] to encrypt and decrypt
> > some data to a database user specific (each users own data has the
> > users password).
> Uh... are you sure this is a good idea? If the user changes his or her
> password, do you re-encrypt all of their data? This doesn't seem like a
> very efficient way to store encrypted information.
> My advice: randomly generate an encryption key when the account is
> created (or afterward for existing users) and encrypt /that/ with the
> user's password. Then, when the user's password is changed, you only
> have to re-encrypt the encryption/decryption key itself, instead of
> every piece of information in there.
> > To get to the password must be possibly, not?
> The servlet API provides no way to get the user's password. You'll have
> to do this yourself. If you need the password all the time, you could
> store it in the session during login and you'd have it available
> whenever you want.
> If you use my suggestion from above, you could use the login password to
> decrypt the general encryption/decryption key and then store that in the
> session, which might be more convenient (or safer?) than storing the
> user's actual password in the session.
> On second thought, the encryption key is more sensitive (at least, as
> far as your application goes) than the user's password, so perhaps the
> user's password in the session is better "just in case".
> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> I+XT0VE6lyijDBtb/JScUnM=
> =0QB0
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message