Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Thanks to those who were kind to share their
suggestions/comments.
The problem was a subtle, but an important one : in
server.xml == roleNameCol=role_name
but in database there is no column called role_name,
accidentally column's name is user_role!
Baris...
--- Rick Fincher [EMAIL PROTECTED] wrote:
Hi Baris,
I tried:
java -classpath
CATALINA_HOME/server/lib/catalina.jar
org.apache.catalina.realm.RealmBase -a MD5 aksu
And got:
aksu:394e654ca65973f232653fb0008c603d
So that seems to be working correctly. You may want
to try changing
auth-methodBASIC/auth-method, to
auth-methodDIGEST/auth-method. Since the
browser is getting the
password you want it to be digested before it goes
out on the net for
security unless you are using SSL. Then it gets
encrypted anyway and
digesting just protects your passwords from
observation on the server side.
This might require you to turn off digest in the
realm.
You can also increase the debug level in the realm
and see what the log
files say.
Hope this helps,
Rick
- Original Message -
From: ahmet dalli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 27, 2002 3:14 AM
Subject: Tomcat Realms with Digested Passwords
-Urgent- ( A little
longish...)
Hi all,
I am trying to use JDBCRealm to store user login
information in an oracle database. I am working on
a
Windows2000 machine, using jdk1.4, and
Tomcat4.0.4.
In server.xml, i have this configuration:
^^
Realm
className=org.apache.catalina.realm.JDBCRealm
debug=99
driverName=oracle.jdbc.driver.OracleDriver
connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL
userTable=users userNameCol=user_name
userCredCol=user_pass
userRoleTable=user_roles
roleNameCol=role_name digest=MD5 /
^^
In an Oracle8i database, i have a table called
users
which has two columns named user_name and
user_pass ; and yet another one called
user_roles with to columns named user_name and
user_role.
When i store user passwords in cleartext,
everything
works fine.
I want to store passwords in a digested form. So,
i
have used the following code to store a user_name
:
baris, user_pass : aksu and user_role : director.
^^^
import org.apache.catalina.realm.RealmBase;
import java.io.*;
import java.sql.*;
public class DigestDene {
public static void main(String[] args) {
try {
String username = args[0];
String password = args[1];
String role = args[2];
String digested =
RealmBase.Digest(password, MD5);
//Here, code that connects to the database
/* .. */
stmt.executeUpdate(insert into users
values(' +
username + ', ' + digested + '));
stmt.executeUpdate(insert into user_roles
values
(' + username + ', ' + role + '));
}
catch(Exception ex) {}
}
}
Then, i have inserted my user's info from the
command-line with :
^^
java DigestDene baris aksu director
^^^
After this, I have these values in the database :
(in table users)
USER_NAMEUSER_PASS
---
baris394e654ca65973f232653fb0008c603d
(in table user_roles)
USER_NAME USER_ROLE
--- -
baris director
Lastly, in web.xml i have these lines :
^^^
security-constraint
web-resource-collection
web-resource-nameProtected Basla Servlet
/web-resource-name
url-pattern/servlet/IlkGirisServlet
/url-pattern
/web-resource-collection
auth-constraint
role-namedirector/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
/login-config
^
When i try to acces my protected resource, i am
presented with the classic login screen for BASIC
authentication, and after i type baris for
username
and aksu for password, Tomcat doesn't simply let
me
in.
Any suggestions or comments will be greatly
appreciated.
Baris.
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Hi all,
I am trying to use JDBCRealm to store user login
information in an oracle database. I am working on a
Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
In server.xml, i have this configuration:
^^
Realm
className=org.apache.catalina.realm.JDBCRealm
debug=99
driverName=oracle.jdbc.driver.OracleDriver
connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL
userTable=users userNameCol=user_name
userCredCol=user_pass userRoleTable=user_roles
roleNameCol=role_name digest=MD5 /
^^
In an Oracle8i database, i have a table called users
which has two columns named user_name and
user_pass ; and yet another one called
user_roles with to columns named user_name and
user_role.
When i store user passwords in cleartext, everything
works fine.
I want to store passwords in a digested form. So, i
have used the following code to store a user_name :
baris, user_pass : aksu and user_role : director.
^^^
import org.apache.catalina.realm.RealmBase;
import java.io.*;
import java.sql.*;
public class DigestDene {
public static void main(String[] args) {
try {
String username = args[0];
String password = args[1];
String role = args[2];
String digested =
RealmBase.Digest(password, MD5);
//Here, code that connects to the database
/* .. */
stmt.executeUpdate(insert into users values(' +
username + ', ' + digested + '));
stmt.executeUpdate(insert into user_roles values
(' + username + ', ' + role + '));
}
catch(Exception ex) {}
}
}
Then, i have inserted my user's info from the
command-line with :
^^
java DigestDene baris aksu director
^^^
After this, I have these values in the database :
(in table users)
USER_NAMEUSER_PASS
---
baris394e654ca65973f232653fb0008c603d
(in table user_roles)
USER_NAME USER_ROLE
--- -
baris director
Lastly, in web.xml i have these lines :
^^^
security-constraint
web-resource-collection
web-resource-nameProtected Basla Servlet
/web-resource-name
url-pattern/servlet/IlkGirisServlet
/url-pattern
/web-resource-collection
auth-constraint
role-namedirector/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
/login-config
^
When i try to acces my protected resource, i am
presented with the classic login screen for BASIC
authentication, and after i type baris for username
and aksu for password, Tomcat doesn't simply let me
in.
Any suggestions or comments will be greatly
appreciated.
Baris.
__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Hi Baris,
I tried:
java -classpath CATALINA_HOME/server/lib/catalina.jar
org.apache.catalina.realm.RealmBase -a MD5 aksu
And got:
aksu:394e654ca65973f232653fb0008c603d
So that seems to be working correctly. You may want to try changing
auth-methodBASIC/auth-method, to
auth-methodDIGEST/auth-method. Since the browser is getting the
password you want it to be digested before it goes out on the net for
security unless you are using SSL. Then it gets encrypted anyway and
digesting just protects your passwords from observation on the server side.
This might require you to turn off digest in the realm.
You can also increase the debug level in the realm and see what the log
files say.
Hope this helps,
Rick
- Original Message -
From: ahmet dalli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 27, 2002 3:14 AM
Subject: Tomcat Realms with Digested Passwords -Urgent- ( A little
longish...)
Hi all,
I am trying to use JDBCRealm to store user login
information in an oracle database. I am working on a
Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
In server.xml, i have this configuration:
^^
Realm
className=org.apache.catalina.realm.JDBCRealm
debug=99
driverName=oracle.jdbc.driver.OracleDriver
connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL
userTable=users userNameCol=user_name
userCredCol=user_pass userRoleTable=user_roles
roleNameCol=role_name digest=MD5 /
^^
In an Oracle8i database, i have a table called users
which has two columns named user_name and
user_pass ; and yet another one called
user_roles with to columns named user_name and
user_role.
When i store user passwords in cleartext, everything
works fine.
I want to store passwords in a digested form. So, i
have used the following code to store a user_name :
baris, user_pass : aksu and user_role : director.
^^^
import org.apache.catalina.realm.RealmBase;
import java.io.*;
import java.sql.*;
public class DigestDene {
public static void main(String[] args) {
try {
String username = args[0];
String password = args[1];
String role = args[2];
String digested =
RealmBase.Digest(password, MD5);
//Here, code that connects to the database
/* .. */
stmt.executeUpdate(insert into users values(' +
username + ', ' + digested + '));
stmt.executeUpdate(insert into user_roles values
(' + username + ', ' + role + '));
}
catch(Exception ex) {}
}
}
Then, i have inserted my user's info from the
command-line with :
^^
java DigestDene baris aksu director
^^^
After this, I have these values in the database :
(in table users)
USER_NAMEUSER_PASS
---
baris394e654ca65973f232653fb0008c603d
(in table user_roles)
USER_NAME USER_ROLE
--- -
baris director
Lastly, in web.xml i have these lines :
^^^
security-constraint
web-resource-collection
web-resource-nameProtected Basla Servlet
/web-resource-name
url-pattern/servlet/IlkGirisServlet
/url-pattern
/web-resource-collection
auth-constraint
role-namedirector/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
/login-config
^
When i try to acces my protected resource, i am
presented with the classic login screen for BASIC
authentication, and after i type baris for username
and aksu for password, Tomcat doesn't simply let me
in.
Any suggestions or comments will be greatly
appreciated.
Baris.
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
I have no problems using SHA-1. I also use FORM based authentication.
You might try those, just to see if anything's different.
-Original Message-
From: ahmet dalli [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 27, 2002 3:15 AM
To: [EMAIL PROTECTED]
Subject: Tomcat Realms with Digested Passwords -Urgent- ( A
little longish...)
Hi all,
I am trying to use JDBCRealm to store user login
information in an oracle database. I am working on a
Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
In server.xml, i have this configuration:
^^
Realm
className=org.apache.catalina.realm.JDBCRealm
debug=99
driverName=oracle.jdbc.driver.OracleDriver
connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL
userTable=users userNameCol=user_name
userCredCol=user_pass userRoleTable=user_roles
roleNameCol=role_name digest=MD5 /
^^
In an Oracle8i database, i have a table called users
which has two columns named user_name and
user_pass ; and yet another one called
user_roles with to columns named user_name and
user_role.
When i store user passwords in cleartext, everything
works fine.
I want to store passwords in a digested form. So, i
have used the following code to store a user_name :
baris, user_pass : aksu and user_role : director.
^^^
import org.apache.catalina.realm.RealmBase;
import java.io.*;
import java.sql.*;
public class DigestDene {
public static void main(String[] args) {
try {
String username = args[0];
String password = args[1];
String role = args[2];
String digested =
RealmBase.Digest(password, MD5);
//Here, code that connects to the database
/* .. */
stmt.executeUpdate(insert into users values(' +
username + ', ' + digested + '));
stmt.executeUpdate(insert into user_roles values
(' + username + ', ' + role + '));
}
catch(Exception ex) {}
}
}
Then, i have inserted my user's info from the
command-line with :
^^
java DigestDene baris aksu director
^^^
After this, I have these values in the database :
(in table users)
USER_NAMEUSER_PASS
---
baris394e654ca65973f232653fb0008c603d
(in table user_roles)
USER_NAME USER_ROLE
--- -
baris director
Lastly, in web.xml i have these lines :
^^^
security-constraint
web-resource-collection
web-resource-nameProtected Basla Servlet
/web-resource-name
url-pattern/servlet/IlkGirisServlet
/url-pattern
/web-resource-collection
auth-constraint
role-namedirector/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
/login-config
^
When i try to acces my protected resource, i am
presented with the classic login screen for BASIC
authentication, and after i type baris for username and
aksu for password, Tomcat doesn't simply let me in.
Any suggestions or comments will be greatly
appreciated.
Baris.
__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
--
To unsubscribe, e-mail:
mailto:tomcat-user- [EMAIL PROTECTED]
For
additional commands,
e-mail: mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
