Unix passwords
Hi, we intend to use the Tomcat server to serve JSP and servlets for our intranet. Actually it fails because Tomcat isn't able to authenticate our users with their linux md5crypted-password. I think md5crypted-passwords are a type of standard on linux systems and would really appreciate the ability of Tomcat to handle these. Digging around I found a mail to the Jakarta commons project where an author offered his implementation of the md5crypt algorithm: http://www.mail-archive.com/jakarta-commons@jakarta.apache.org/msg01390.html I think it would fit perfectly as an extension for the Tomcat Realms. If you agree but no one is wiling to adopt the task, I will. I suggest the possibility to add an 'crypt=TYPE' directive to the realm configuration. This leaves open the chance to implement other crypt-routines (as the unix-crypt requested prior on this list). Best regards Niklas
Re: Unix passwords
Niklas, See my questions inline: If you agree but no one is wiling to adopt the task, I will. I suggest the possibility to add an 'crypt=TYPE' directive to the realm configuration. Currently, there already is a digest attribute for a Realm. The defualt in server.xml is no digest. But currently you can specify digest=MD5. I would assume that you want to use this existing attribute with a new MD5crypt option to minimize the amount of documentation changes. Documentation for the digest option is in the following source file in the jakarta-tomcat-4.0 source code: webapps/tomcat-docs/realm-howto.xml If you submit a patch to enable such a new digest option, be sure to submit a patch for the documentation as well. This leaves open the chance to implement other crypt-routines (as the unix-crypt requested prior on this list). Adding a digest=MD5 attribute to Realm makes sense if you put the usernames and passwords into the formats that are supported by the existing 3 Realms: Realm Format - -- MemoryRealm Stored in conf/tomcat-users.xml JNDIRealm Stored in your LDAP server JDBCRealm Stored in your relational database If you use any of the above 3 existing Realms, you would need to import all of your Linux usernames and passwords into the applicable data storage format. So, this brings up my next question: do you really want to access the native Linux (or other Unix variants) password validation functions? If so, I would implement a new Realm object to support this type of data storage format. For purposes of this discussion, we could call it a UnixRealm. You could still implement the MD5crypt as a digest option, this new Realm would do the work of invoking the native C functions with a the username and the password encrypted with whatever is specified in the digest attribute. Of course, this new Realm would require the use of JNDI to access the native functions so you would need to make sure that the build.xml files don't build this Realm if there is no C compiler or other required build tools. Just my 2 cents, Patrick -- _ Patrick Luby Email: [EMAIL PROTECTED] Sun Microsystems Phone: 408-276-7471 901 San Antonio Road, USCA14-303 Palo Alto, CA 94303-4900 _
Re: Unix passwords
On Fri, 19 Oct 2001, Niklas Neumann wrote: Hi, we intend to use the Tomcat server to serve JSP and servlets for our intranet. Actually it fails because Tomcat isn't able to authenticate our users with their linux md5crypted-password. I think md5crypted-passwords are a type of standard on linux systems and would really appreciate the ability of Tomcat to handle these. Digging around I found a mail to the Jakarta commons project where an author offered his implementation of the md5crypt algorithm: http://www.mail-archive.com/jakarta-commons@jakarta.apache.org/msg01390.html I think it would fit perfectly as an extension for the Tomcat Realms. Yes, we had it - it worked fine, but we decided to not include it in the 'main' release ( to keep things simpler ), and it would fit better as an add-on module. Plus, IMHO it's better to use a standard API for login, and we should turn the crypted realm ( and all other ) into jaas plugins (well, for JDK1.2 compatibility we should keep the existing ones, but for new ones). For your problem this is a far better solution - JAAS ( AFAIK ) should be able to interoperate with PAM, which is the 'real' Linux authentication mechanism ( and not the password files, which are just an implementation detail ! ). There are already at least 2 implementation for JAAS for tomcat, you can probably find a good one in JBoss ( I suspect Enchydra had one too, but not sure where it could be found ). As a side effect, this mechanism whould be usable with Win and most other unixes that use PAM. Again, I never tried using JAAS to access PAM, but the design is very similar, and if it doesn't have an PAM plugin we should write it :-) Costin
