tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: user tomcat authentication
Date Sun, 12 Jun 2011 19:50:29 GMT
On 12/06/2011 20:29, Pid wrote:
> On 12/06/2011 17:12, Petr Hracek wrote:
>> And what about in case that I have my own program for accessing to the
>> specific
>> databases where the passwords are stored as hashes?
>> Are there any possibilities how to run that program for getting unhashed
>> password from database?
> Why not hash the inbound password, then send & compare it against the
> one in the DB, rather than decoding it?
> The Realm implementations can handle this, if you're using a standard
> hashing method that Java recognises.
> Hopefully you've not invented your own hashing method.

Hmm. Hash functions are meant to be one way. It should be impossible to
retrieve an unhashed password from the database.

I hope that the original description is inaccurate rather than an
example of (yet another) badly broken home-grown security solution that
needs to be thrown away.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message