Re: Visible passwords in realm
2013/11/20 williamissey...@tsys.com: Hi all, Is there any way to not have the password visible in the realm for example for active directory realm? Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://xxx:389; authentication=simple referrals=follow connectionName=cn= CN=xx ,ou=,ou=sasa ,ou=s,ou=xxx,dc=xxx, dc=,dc=net connectionPassword=password userSearch=(sAMAccountName={0}) userBase=DC=xxx,DC=xxx, DC=x userSubtree=true roleSearch=(member={0}) roleName=cn roleSubtree=true roleBase=dc=xx,dc=xxx,dc=xxx/ https://wiki.apache.org/tomcat/FAQ/Password - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Visible passwords in realm
2013/11/20 williamissey...@tsys.com: Is there any way to not have the password visible in the realm for example for active directory realm? . . . On 11/20/13 12:36 AM, Konstantin Kolinko wrote: https://wiki.apache.org/tomcat/FAQ/Password Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 does (i.e., as a one-way hash), it would solve a multitude of problems. Of course, the far greater problem is that if somebody can get at your password file for nefarious purposes, then they can also most likely get at your SSL keystore for nefarious purposes, and a one-way hash wouldn't work for that. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Visible passwords in realm
On 20/11/2013 16:23, James H. H. Lampert wrote: 2013/11/20 williamissey...@tsys.com: Is there any way to not have the password visible in the realm for example for active directory realm? . . . On 11/20/13 12:36 AM, Konstantin Kolinko wrote: https://wiki.apache.org/tomcat/FAQ/Password Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 does (i.e., as a one-way hash), it would solve a multitude of problems. I suggest you read the original post again more carefully. These are not user passwords that Tomcat needs to validate (Tomcat has supported hashes for that for as long as I remember). This is a password Tomcat needs to use to connect to an external service. As the FAQ makes clear, storing these passwords in plain text is no less secure than any of the various encryption solutions that folks periodically propose. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Visible passwords in realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James On 11/20/13, 11:23 AM, James H. H. Lampert wrote: 2013/11/20 williamissey...@tsys.com: Is there any way to not have the password visible in the realm for example for active directory realm? . . . On 11/20/13 12:36 AM, Konstantin Kolinko wrote: https://wiki.apache.org/tomcat/FAQ/Password Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 does (i.e., as a one-way hash), it would solve a multitude of problems. - -1 You evidently don't understand the nature of the problem. First of all, Tomcat does not store the password(s) at all. Second, if Tomcat were to store the passwords as a one-way hash, it wouldn't help at all: you would still supply the password in plain-text, and Tomcat would hash it to compare. Why does Tomcat have to hash the password? Because a) only Tomcat (or the database, directory, etc.) knows the hashing algorithm used, the hash salt and iteration count (you *would* use salted, iterated hashes, right?), etc. If the client could hash the password, then Tomcat would be comparing hashes to hashes, which is just called a new password. Of course, the far greater problem is that if somebody can get at your password file for nefarious purposes, then they can also most likely get at your SSL keystore for nefarious purposes, and a one-way hash wouldn't work for that. One-way hashes work for protecting data in the event of a data theft. They don't at all protect against unauthorized access. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSjPWiAAoJEBzwKT+lPKRYg4MQAMOlFmlLtoTO6+mbB3d3VlDY QmXo9rNoYVtWEHBGGsVvTbdNImPXnrK9v2DKEMruj7aykJAafcPzl2a0cT1IS9TQ fvkkGbu90JJPb8W7WJkJbzJ7sT/EQcco+xVIeCdU0uFHqCeXl3MuuVdn9crnroD5 G2voWUm9YKwFVuefjT92BI+UoozBVs5KQk3zFT3mfGlXBMq20kd+/jfRCjuy0k8B LtIQTp/UFY6exVrZupVfbhWqOvd3eCJvWcXLpWotigVNiz4lFA3/+PcXhEa6W3bg j9l1Qw5ijCMFIRB+CG5qY5YSg8daWCr4PCjUmyR96p0rmOqmKwZ4xiXjlziW2UU5 OtjI7RllzTBc0J28JMWDB57Xb/1QjhEGLBeIhbc04W8+jyKLBMV8s8dSmcPgMqzo erlp7nI+3aGlXy2bvQIWcDZSDH7tnTHVZrBcZxdqCfklUVXhmPmSrisEVKG+YJw1 ER6g83iG0OBYmz/C+0gx6K9SvcMMojiWYT7Hxh1QDnuCo742ErzXYqoBY8vKVoLL WBpgbFnm2daGe7wL+2CTWxUrkDodB79GW+XYceVxB4JnmwBd2swH1njb6j8ruVJZ eE538NmyjRr7iCkm32ukTudjRCQSdKpnBjS1brzb0GYmUTYn4ckXmR8PItVqiIvZ 1YLZZf90JK4bdKQIABlr =0SU5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Visible passwords in realm
Out of curiosity, what problems do you see hashed passwords resolving in this case? - Milo Hyson Chief Scientist CyberLife Labs, Inc. On Nov 20, 2013, at 8:23 AM, James H. H. Lampert jam...@touchtonecorp.com wrote: Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 does (i.e., as a one-way hash), it would solve a multitude of problems.
RE: Visible passwords in realm
On 2013-11-20 williamissey...@tsys.com wrote: Is there any way to not have the password visible in the realm for example for active directory realm? You can extend the default JNDIRealm: import org.apache.catalina.realm.JNDIRealm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class ADRealm extends JNDIRealm { private static final Logger LOGGER = LoggerFactory.getLogger(ADRealm.class.getName()); private static final String KEY_AD = my.ldap; public ADRealm() { LOGGER.info(My Active Directory Realm initialized...); Credentials credentials = new CredentialsReader().getCredentials(KEY_AD); connectionName = credentials.getUser(); connectionPassword = credentials.getPassword(); } } Credentials reader is another custom class for reading credentials from your central storage. You have to define a combined realm: Realm className=org.apache.catalina.realm.CombinedRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Realm className=my.realm.ADRealm debug=99 connectionURL=... authentication=simple referrals=follow userBase=... userSearch=(mailNickname={0}) userSubtree=true commonRole=Administrator / /Realm And place all libraries to tomcat/lib folder: - realm-1.0.jar (this class) - credentials-util-1.0.jar - slf4j-api-1.6.6.jar - slf4j-jdk14-1.6.6.jar I've implemented it not because of safety, but for my convenience as the password is expiring from time to time and thanks to this it is enough to change it once in the central storage. From there it is used in all my tools (I use it in a local network only). Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Visible passwords in realm
On 11/20/13 10:22 AM, Milo Hyson wrote: Out of curiosity, what problems do you see hashed passwords resolving in this case? As others have already pointed out, I was shooting off my mouth without understanding the question. Emily LitellaOh. That's very different. Nevermind./Emily Litella -- JHHL (Now going back to a heated discussion of such subjects as flea erections, violins on television, eagle rights, and endangered feces.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org