tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: CredentialHandler
Date Wed, 27 Apr 2016 15:51:34 GMT
Hash: SHA1


On 4/27/16 11:16 AM, Stefan Frei wrote:
> Tomcat 8.0.33
> i need some help with credentialhandler in datasourceRealm.
> I wan t to achieve a encrypted password, if possible with salt.
> Encryption SHA-512 or similar.

Technically that's a hash, not an encrypted credential. "Encryption"
generally means that it's reversible, and hashes, etc. are not
reversible (at least not directly).

> is there a example somewhere how to modify the realm, i couldnt
> find anything in the docs.
> Realm looks like this atm. Its working, but passwords are stored in
> plain text.
> <Realm className="org.apache.catalina.realm.DataSourceRealm" 
> dataSourceName="jdbc/sandbox" localDataSource="true" 
> roleNameCol="rolename" userCredCol="password"
> userNameCol="username" userRoleTable="roles" userTable="users">

Realms never write passwords out, so they are stored in whatever form
*you* decided to store them.

Since you have declared no <CredentialHandler> element inside your
<Realm>, you are getting the default CH:
MessageDigestCredentialHandler. The default algorithm for MDCH is
plaintext (i.e. "none").

If you want to change that, you'll have to add your own
<CredentialHandler> element and configure it however you want.

Since you have plaintext passwords in the database now, you might want
to convert them to whatever scheme you decide to use (e.g. salted
SHA-256). You can do that using RealmBase from the command-line:


Unfortunately, that command doesn't have any "help" you can run to
find out what the parameters mean exactly, but the source does have
that detail (apologies for the lack of formatting... I'm not going to
re-format this manually):

     * <li><b>-a</b> - The algorithm to use to generate the stored
     *                 credential. If not specified a default of
SHA-512 will be
     *                 used.</li>
     * <li><b>-e</b> - The encoding to use for any byte to/from characte
     *                 conversion that may be necessary. If not
specified, the
     *                 system encoding ({@link
Charset#defaultCharset()}) will
     *                 be used.</li>
     * <li><b>-i</b> - The number of iterations to use when generating t
     *                 stored credential. If not specified, the
default for the
     *                 CredentialHandler will be used.</li>
     * <li><b>-s</b> - The length (in bytes) of salt to generate and
store as
     *                 part of the credential. If not specified, the
default for
     *                 the CredentialHandler will be used.</li>
     * <li><b>-k</b> - The length (in bits) of the key(s), if any,
created while
     *                 generating the credential. If not specified,
the default
     *                 for the CredentialHandler will be used.</li>
     * <li><b>-h</b> - The fully qualified class name of the
     *                 to use. If not specified, the built-in handlers
will be
     *                 tested in turn and the first one to accept the
     *                 algorithm will be used.</li>

Run each of your passwords through that to get the encoded form, then
use the same parameters to configure your <CredentialHandler>.

Hope that helps,
- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message