tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Authenticating Users
Date Sun, 22 Feb 2009 14:56:15 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 2/21/2009 4:06 PM, Mark Thomas wrote:
> 5. Patch DataSourceRealm
> 
> 6. Make case sensitivity configurable and contribute your patch back to
> the ASF.

7. Use securityfilter to write your realm, and not be tied to Tomcat.

8. Many databases use case-insensitive string comparisons already.
Case-insensitive passwords (probably a bad idea!) will work if you
aren't hashing them. If you are, you'll have to lowercase them or something.

If you /are/ hashing them, you'll need to do a password migration where
anyone who changes their password gets it lowercased but passwords that
existed beforehand are still case-sensitive. You cannot avoid this, now
matter what your solution is.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmhZ48ACgkQ9CaO5/Lv0PAlOACgrwTelHoTXc0nAbo0+D0rFhez
G3YAnjh3JqHj/bLWvFY2vsFFRMTcd7oK
=GYQE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message