tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] User-password from the HttpServletRequest
Date Thu, 03 May 2007 19:02:35 GMT
Hash: SHA1

Sam, wrote:
> I saw, that I can get the password via the Principle: The Tomcat
> server has his own implementation of Principle: GenericPrinciple
> which holds all the stuff (pw, roles, etc).

Wow, Tomcat keeps the user's password lying around in memory? That's
unfortunate... :(

> Does somebody know a good encryption/decryption algorithm which works
> only with a password (String)?

There are many symmetric encryption algorithms. DES, 3DES ("Triple
DES"), AES, and Blowfish are quire popular. Java supports many of these
algorithms out of the box. Figuring out how to use them can be a
challenge, so here's some of the things I've learned.

With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following
ciphers available from the "SunJCE version 1.5" provider:


Each of these can be used with a simple password. You'll need to massage
your strings to get them into the proper format, though. Here is some
helpful code.

In order to do anything with a cipher, you'll need a key. The easiest
way to create a key is like this:

byte[] password = ...;
String algorithm = ...;  // "AES", "3DES", etc.
Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password,

Now that you have a key (which can be used for decryption, btw), you can
use a cipher:

byte[] clearText = ...; // convert your data-to-encrypt to bytes
Cipher cipher = javax.crypto.Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] cipherText = cipher.doFinal(clearText);

Decryption is the same, just that you use DECRYPT_MODE when you call
Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS.

A few other notes:

* Be careful about converting Strings to and from byte arrays. Make sure
that you consistently use the same character encoding (UTF-8 is always a
good bet) or your efforts will end in tears.

* If you want to store your encrypted data in a database, you have to
decide if you want to store binary byte data (BLOB) or character data
(CLOB). BLOBs are probably smaller (keep reading) but not as easy to
"read" when observing data in the database. CLOBs will take more space
but are easier to "read" when looking at your db. If you choose to use a
CLOB, then you'll need to convert the cipher text into a readable
format. Base64 encoding is often chosen because it results in 4 bytes of
output for every 3 bytes of input, so you "waste" only 1/3 extra
storage. Compare that to a "character binary encoding" (my term) where
you have 1 byte -> 2 character conversion (results look like "1a2b3c"
etc.) which doubles your data, which sucks.

This is only one way to interact with Java's crypto APIs. I'm sure there
are other ways, but after a lot of reading this is what I came up with.

Hope that helps,
- -chris

Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message