tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From se...@gmx.ch
Subject Re: [OT] User-password from the HttpServletRequest
Date Fri, 04 May 2007 19:02:39 GMT
Thanks Chris, it helps a lot for me :-)
Very useful informations.


-------- Original-Nachricht --------
Datum: Thu, 03 May 2007 15:02:35 -0400
Von: Christopher Schultz <chris@christopherschultz.net>
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: [OT] User-password from the HttpServletRequest

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sam,
> 
> sebbo@gmx.ch wrote:
> > I saw, that I can get the password via the Principle: The Tomcat
> > server has his own implementation of Principle: GenericPrinciple
> > which holds all the stuff (pw, roles, etc).
> 
> Wow, Tomcat keeps the user's password lying around in memory? That's
> unfortunate... :(
> 
> > Does somebody know a good encryption/decryption algorithm which works
> > only with a password (String)?
> 
> There are many symmetric encryption algorithms. DES, 3DES ("Triple
> DES"), AES, and Blowfish are quire popular. Java supports many of these
> algorithms out of the box. Figuring out how to use them can be a
> challenge, so here's some of the things I've learned.
> 
> With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following
> ciphers available from the "SunJCE version 1.5" provider:
> 
> AES
> Blowfish
> DES
> 3DES
> 
> Each of these can be used with a simple password. You'll need to massage
> your strings to get them into the proper format, though. Here is some
> helpful code.
> 
> In order to do anything with a cipher, you'll need a key. The easiest
> way to create a key is like this:
> 
> byte[] password = ...;
> String algorithm = ...;  // "AES", "3DES", etc.
> Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password,
>                                                         algorithm);
> 
> Now that you have a key (which can be used for decryption, btw), you can
> use a cipher:
> 
> byte[] clearText = ...; // convert your data-to-encrypt to bytes
> Cipher cipher = javax.crypto.Cipher.getInstance(algorithm);
> cipher.init(Cipher.ENCRYPT_MODE, key);
> byte[] cipherText = cipher.doFinal(clearText);
> 
> Decryption is the same, just that you use DECRYPT_MODE when you call
> Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS.
> 
> A few other notes:
> 
> * Be careful about converting Strings to and from byte arrays. Make sure
> that you consistently use the same character encoding (UTF-8 is always a
> good bet) or your efforts will end in tears.
> 
> * If you want to store your encrypted data in a database, you have to
> decide if you want to store binary byte data (BLOB) or character data
> (CLOB). BLOBs are probably smaller (keep reading) but not as easy to
> "read" when observing data in the database. CLOBs will take more space
> but are easier to "read" when looking at your db. If you choose to use a
> CLOB, then you'll need to convert the cipher text into a readable
> format. Base64 encoding is often chosen because it results in 4 bytes of
> output for every 3 bytes of input, so you "waste" only 1/3 extra
> storage. Compare that to a "character binary encoding" (my term) where
> you have 1 byte -> 2 character conversion (results look like "1a2b3c"
> etc.) which doubles your data, which sucks.
> 
> This is only one way to interact with Java's crypto APIs. I'm sure there
> are other ways, but after a lot of reading this is what I came up with.
> 
> Hope that helps,
> - -chris
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6
> spL4xNqgsIAuKgHBLnD3KFo=
> =RssM
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message