tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: User-password from the HttpServletRequest
Date Wed, 02 May 2007 20:54:22 GMT
Hash: SHA1

Sam, wrote:
> I'm using the password of the [authentication] to encrypt and decrypt
> some data to a database user specific (each users own data has the
> users password).

Uh... are you sure this is a good idea? If the user changes his or her
password, do you re-encrypt all of their data? This doesn't seem like a
very efficient way to store encrypted information.

My advice: randomly generate an encryption key when the account is
created (or afterward for existing users) and encrypt /that/ with the
user's password. Then, when the user's password is changed, you only
have to re-encrypt the encryption/decryption key itself, instead of
every piece of information in there.

> To get to the password must be possibly, not?

The servlet API provides no way to get the user's password. You'll have
to do this yourself. If you need the password all the time, you could
store it in the session during login and you'd have it available
whenever you want.

If you use my suggestion from above, you could use the login password to
decrypt the general encryption/decryption key and then store that in the
session, which might be more convenient (or safer?) than storing the
user's actual password in the session.

On second thought, the encryption key is more sensitive (at least, as
far as your application goes) than the user's password, so perhaps the
user's password in the session is better "just in case".

- -chris

Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message