https://issues.apache.org/bugzilla/show_bug.cgi?id=56403
--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> --- I don't see a reason not to back-port it to Tomcat 7. Since it's a breaking API change, I'll be asking for RTC for a back-port. I suspect it will make it. Note that Tomcat 6's implementation (identical in all important ways to that of Tomcat 7 and 8) is not /insecure/, just not terribly secure if being used without any additional controls. As for providing salted passwords out of the box, I'd suggest that salting isn't enough and that iteration is also necessary, etc. and that at this point simply using PBKDF2 or some other password-munging scheme is more appropriate. I do note that PBKDF2 (mist-typed as PBKDF11 in the description) does not store the number of iterations in the generated password which means that you either need to adjust the data you actually store to include it, or you can never change the number of iterations. I suspect we'll provide a PBKDF2 implementation out of the box, but nothing else to avoid any library dependencies. Using the PBKDF2 implementation as an example would make writing a bcrypt- or scrypt-based implementation fairly easy. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
