RE: Alternate password encyption code? [UPDATED]
With reference to the tomcat JDBC Encryption realm, a new version is available which includes the necessary MBeans stuff for tomcat 4.1.24 The jar is available @ http://prdownloads.sourceforge.net/jaffa/jaffa-tomcat_1_2_0.jar?download And at last some proper documentation @ http://jaffa.sourceforge.net/documentation/security/web/ Paul Extance -Original Message- From: Extance, Paul Sent: Tuesday, June 03, 2003 11:40 AM To: 'Tomcat Users List' Cc: Extance, Paul Subject: RE: Alternate password encyption code? We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent-type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost
RE: Alternate password encyption code?
Nice! Thanks! Jeff Sexton The ODS Companies [EMAIL PROTECTED] On Tue, 3 Jun 2003, Extance, Paul wrote: We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent-type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Alternate password encyption code?
We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent-type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Alternate password encyption code?
Neat! John On Tue, 3 Jun 2003 11:39:35 -0700, Extance, Paul [EMAIL PROTECTED] wrote: We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi- bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent- type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm- howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat- 4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent- type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail
Re: Alternate password encyption code?
Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src/ share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/plain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Alternate password encyption code?
Here's how I do it - and I generally use SHA as my algorithm:
/**
* Encode a string using algorithm specified in web.xml and return the
* resulting encrypted password. If exception, the plain credentials
* string is returned
*
* @param password Password or other credentials to use in
authenticating
*this username
* @param algorithm Algorithm used to do the digest
*
* @return encrypted password
*/
public static String encodePassword(String password, String algorithm) {
byte[] unencodedPassword = password.getBytes();
MessageDigest md = null;
try {
// first create an instance, given the provider
md = MessageDigest.getInstance(algorithm);
} catch (Exception e) {
log.error(Exception: + e);
return password;
}
md.reset();
// call the update method one or more times
// (useful when you don't know the size of your data, eg. stream)
md.update(unencodedPassword);
// now calculate the hash
byte[] encodedPassword = md.digest();
StringBuffer buf = new StringBuffer();
for (int i = 0; i encodedPassword.length; i++) {
if (((int) encodedPassword[i] 0xff) 0x10) {
buf.append(0);
}
buf.append(Long.toString((int) encodedPassword[i] 0xff, 16));
}
return buf.toString();
}
-Original Message-
From: Jeff Sexton [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 4:25 PM
To: [EMAIL PROTECTED]
Subject: Alternate password encyption code?
I need to use my own bit of java to encrypt passwords for a JDBCRealm. I
have no idea what approach is best to take with this, anyone have any
suggestions?
Thanks
Jeff Sexton
The ODS Companies
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Alternate password encyption code?
On Thu, 29 May 2003, Raible, Matt wrote: Here's how I do it - and I generally use SHA as my algorithm: Thanks, but my question is really related to the setup - I have the code I want to use for the encyrption, but I'm not sure how to tie it in with the existing JDBCRealm mechanism. How did you do that? A custom realm class? -Original Message- From: Jeff Sexton [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Alternate password encyption code? I need to use my own bit of java to encrypt passwords for a JDBCRealm. I have no idea what approach is best to take with this, anyone have any suggestions? Thanks Jeff Sexton The ODS Companies [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Alternate password encyption code?
On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
