https://issues.apache.org/bugzilla/show_bug.cgi?id=53785
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> --- Ignoring several of David's foolish statements (one-way hashing versus bi-directional, bcrypt using non-retrievable salts, etc.), I do think this enhancement request has merit. David is right that merely using a "better" hash algorithm (i.e. SHA-65536) isn't the same as using a so-called "password-hashing algorithm" like bcrypt, scrypt, etc.: those algorithms use built-in random salts and iterations of the base algorithm (which is something like SHA-256) and do require more than just "hashing" the incoming password and comparing it to the stored hash. One could also argue that this kind of thing can be implemented outside of Tomcat by merely writing a custom Realm, which is certainly true, but the existing API doesn't lend itself to extensibility (other than to the realms currently built-into Tomcat). I think there are some changes we could make to the code to allow a bcrypt-based implementation to bemuch easier to built. For instance: instead of a method that hashes the attempted-password, retrieves the known-hashed-password and comparing the two, perhaps we could have a method that retrieves the known-hashed-password and then calls a method to "hashAndCompare" or something similar. This would allow a bcrypt-based implementation to merely override this method and use the bcrypt tools to compare (for some definition of "compare") an attempted-password directly to the known-hashed-password while the "standard" implementation could perform the existing MessageDigest-based hashing and String-comparison. This then brings up the fact that RealmBase seems like the most reasonable place to do all of this, except that nobody really wants to extend RealmBase because the real action is in the realm implementations (DataSourceRealm, JNDIRealm, etc.). If the "hashing stuff" could be isolated from RealmBase, then we could make it pluggable such that users could use a DataSourceRealm or JNDIRealm but also plug-in a bcrypt implementation for the password-hashing work. I'd like to reopen this unless there are any strong objections. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
