Encryption:
There is only one way to encrypt passwords if you are not using SSL. That
is to use Paj's JavaScript module available here:
http://pajhome.org.uk/crypt/md5/
Although the Tomcat Realm does have an MD5 flag which you can set to encrypt
the passwords being sent to it this is too late as the passwords have
already been sent in the clear over the internet to your server. The only
use for this is when you are accessing a server on which the passwords are
stored in MD5 encrypted format and you don't care about the network.
You may also be told that you can use a Digest login instead of a Form login
or Basic Login but again you have a problem: Digest logins are only
available in IE so if you know all your users are definitely only using IE
then go ahead, it will be doing the same job as the JavaScript i.e.
encrypting before sending down the wire.
In order to encrypt the passwords in the first place you can use Java1.4's
java.security.* package or you can use Catalina's
org.apache.catalina.realm.RealmBase which can be used at the command line
thus:
C:\java org.apache.catalina.realm.RealmBase -a MD5 mypassword
or you can use the JavaScript. If you have the passwords in an Oracle
Database you can also use the Oracle Function DBMS_OBFUSCATION_TOOLKIT.MD5()
by writing an oracle Function something like this:
CREATE OR REPLACE FUNCTION get_md5 (plaintext IN VARCHAR2)
RETURN VARCHAR2 IS
test VARCHAR2(16);
BEGIN
test:=DBMS_OBFUSCATION_TOOLKIT.MD5(INPUT_STRING=plaintext);
RETURN test;
END get_md5;
/
Note: using a function like this you can create a view of the passwords
table in your database which would mean that though your passwords appear
hashed to Tomcat, they are actually still visible to you!
The servlet invoker /servlet/*
If you are adding the servlets to your web.xml file then you do not need to
use the servlet invoker anywhere and hence do not need to call it using
/servlet/.
Whether or not you add the servlets to the same package is a programming
decision which has to do with what the servlets do and whether they do the
same thing as the other classes in that package. This has no bearing on the
administrative decisions of how to keep the server secure.
Hope that all helps.
Andoni.
- Original Message -
From: Ben Bookey [EMAIL PROTECTED]
To: Tomcat User List [EMAIL PROTECTED]
Sent: Thursday, August 05, 2004 9:02 AM
Subject: Tomcat Realm-- pasword encryption servlet location in a webApp
Dear list,
2 questions
1) I think I remember reading somewhere that there was a .bat batch file
which we could run
on production machines, so that passwords are encrypted. Can anyone
enlighten ?
2) Whats the best configuration mechanism for my servlets? I think its
better to add the
the servlets to my com.mycompany.myapp package (or?), BUT, is it a
security
flaw when
I set in my app, the url-pattern begininning with /servlet/* (see below
example). I again have read that the
servlet url-pattern should not begin with /servlet
servlet-mapping
servlet-nameservletName/servlet-name
url-pattern/servlet/servletName/url-pattern
/servlet-mapping
regards.
Ben
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
