Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 421184960 for ; Sun, 12 Jun 2011 19:50:40 +0000 (UTC) Received: (qmail 22584 invoked by uid 500); 12 Jun 2011 19:50:36 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 22413 invoked by uid 500); 12 Jun 2011 19:50:36 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 22404 invoked by uid 99); 12 Jun 2011 19:50:36 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jun 2011 19:50:36 +0000 Received: from localhost (HELO s2laptop.dev.local) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jun 2011 19:50:35 +0000 Message-ID: <4DF51885.50604@apache.org> Date: Sun, 12 Jun 2011 20:50:29 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: user tomcat authentication References: <4DF228CF.8050603@pidster.com> <4DF4E559.8090300@gmail.com> <4DF5138C.9000608@pidster.com> In-Reply-To: <4DF5138C.9000608@pidster.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 12/06/2011 20:29, Pid wrote: > On 12/06/2011 17:12, Petr Hracek wrote: >> And what about in case that I have my own program for accessing to the >> specific >> databases where the passwords are stored as hashes? >> >> Are there any possibilities how to run that program for getting unhashed >> password from database? > > Why not hash the inbound password, then send & compare it against the > one in the DB, rather than decoding it? > > The Realm implementations can handle this, if you're using a standard > hashing method that Java recognises. > > Hopefully you've not invented your own hashing method. Hmm. Hash functions are meant to be one way. It should be impossible to retrieve an unhashed password from the database. I hope that the original description is inaccurate rather than an example of (yet another) badly broken home-grown security solution that needs to be thrown away. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org