tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chaney <a...@compulsivecreative.com>
Subject Re: Authenticating Users
Date Mon, 23 Feb 2009 00:33:40 GMT
Martin Gainty wrote:
> Which specific attributes are you seeking that are not in DataSourceRealm?
> <Realm className="org.apache.catalina.realm.DataSourceRealm" debug="99"
>    dataSourceName="jdbc/authority"
>    userTable="users" userNameCol="user_name" userCredCol="user_pass"
>    userRoleTable="user_roles" roleNameCol="role_name"/>
> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#DataSourceRealm
>
> ?
>   
To summarize

I (or,actually my "marketing dept')  have the following requirements.

1. password be case insensitive [I may be able to talk them out of this]
2. username be case insensitive.
3. email address can be used as a synonym for the user name.
4. Security managed by Tomcat CMS.

Mark T suggested that I modify DSR appropriately.
Chris Schultz pointed out correctly that it gets a bit more complicated 
if the pwd must be hashed.

I've looked at the code to DSR and it seems to me that the following 
would work.

1. add an 'alternative' userNameCol (eg altNameCol) and in the 
configuration as above point that at the email column.
2. in the code, IF the login fails using the 'user_name' then try it 
with the altNameCol.
3. to make things case insenstive simply convert the username to lower 
case and use a 'lower' function on the column value.
4. to make the thing a bit more flexible an additional boolean parameter 
'isCaseInsensitive' could be added to select the behavior has in 3. above.

Defaults could be chosen such that the current configuration setup still 
works (eg the default value for isCaseInsensitive is false)

Only real gotcha that I can see for making it database independent is 
that the function used to create lower case is not univerally 'lower()' 
(M/SQL appears to be toLower()) so it might be necessary to pass the 
string for the function name as an optional configuration parameter.

I realize that many people would advise against the idea of case 
insensitive passwords - however, despite my personal reservations I am 
willing to accept that in the case of this particular application the 
reduction in security is acceptable.

If hashed pwds are used then there are 3 solutions:

1. don't allow case insensitive passwords - only user names.
2. provide two columns one for lower case versions of the pwd.
3. convert all the existing password HASHES to the lower case equivalent,

but hashed passwords are not my principal concern

I've downloaded and built 6.0.18 and looked at the DSR code - doesn't 
look like a very big job to make the changes that I want so I may have 
go tomorrow. As I use 6.0.18 I can easily test it by just patching in 
the .class file for DataSourceRealm on my dev. system.

Regards

Alan










---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message