https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #22 from Gabriel ---
Note Bug 56403 for Tomcat 8 deals with a pluggable interface that would make it
easier to resolve this.
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #21 from S ---
In order to illustrate how I understood possibilities and their use in Tomcat,
I made a list of authentication mechanisms:
0) Compare the sent PW to the stored PW
1) Hashing the sent PW on the server, compare it
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #20 from Gabriel ---
(In reply to Gabriel from comment #19)
>
> Hashing on the client side has its merits as long as you also hash on the
> server side and you don't use the same salt on the client as you do on the
> server. I
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #19 from Gabriel ---
(In reply to S from comment #17)
> (In reply to Christopher Schultz from comment #16)
> > This is awful security. When the client is involved in authentication,
> > that's called not being authenticated.
> I
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #18 from Gabriel ---
The only advantage I see of hashing in the client side is not storing a String
with the cleartext password in memory. Strings are immutable objects, so they
cannot be cleared once password processing is com
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #17 from S ---
(In reply to Christopher Schultz from comment #16)
> This is awful security. When the client is involved in authentication,
> that's called not being authenticated.
I don't understand. It's the same Tomcat does ou
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #16 from Christopher Schultz ---
(In reply to S from comment #15)
> Hi,
>
> what I'm doing is to hash the user-entered password 999x on the client with
> a salt (visible in the JS code) on the OK-Click in my login form. Then I
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #15 from S ---
Hi,
what I'm doing is to hash the user-entered password 999x on the client with a
salt (visible in the JS code) on the OK-Click in my login form. Then I send it
to Tomcat and have it compared to the stored hash (
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Gabriel changed:
What|Removed |Added
CC||gabrielesanc...@gmail.com
--- Comment #1
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #13 from Christopher Schultz ---
Please see http://markmail.org/thread/cipopgduels3d7yh
No responses thus far. Feel free to reply and voice your support!
--
You are receiving this mail because:
You are the assignee for the bu
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #12 from Oliver Kohll ---
David, I see your other report
https://issues.apache.org/bugzilla/show_bug.cgi?id=53785
is currently marked RESOLVED WONTFIX. I'm not a security expert but I don't
think there's much argument that sal
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #11 from da...@leppik.net ---
Unfortunately, just adding salt to hashes doesn't provide much more security
these days. Modern password hashing algorithms, such as bcrypt, include the
salt as part of the hash. What's more, the c
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
S changed:
What|Removed |Added
CC||bl...@gmx.net
--
You are receiving this mail
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Oliver Kohll changed:
What|Removed |Added
CC||oli...@gtwm.co.uk
--- Comment #10 f
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #9 from Christopher Schultz
2012-03-22 20:22:45 UTC ---
I recently added the capability to use salted and iterated hashes to my own
DataSourceRealm -- but it's been diverging from TC's realms for quite a while.
Mine does not u
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Neale Rudd changed:
What|Removed |Added
CC||ne...@metawerx.net
--
Configure bugm
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #8 from Neale Rudd 2012-03-20 07:07:08 UTC ---
Could also change Realmbase.main to use SecureRandom.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #7 from Neale Rudd 2012-03-20 06:50:14 UTC ---
Hey Guys,
Great work on the patch so far Adam.
I'd love to see this implemented as well. The current hashing provides no
security at all unless symbols are used in the passwords,
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Mark Thomas changed:
What|Removed |Added
CC||brand...@alum.mit.edu
--- Comment #6
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #5 from Christopher Schultz
2011-10-11 20:30:51 UTC ---
(In reply to comment #3)
> Thank you for the great feedback. The salt isn't part of the users password.
> If
> you look at the digest method that's used to generate the e
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Adam Caldwell changed:
What|Removed |Added
Attachment #27699|0 |1
is obsolete|
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #3 from Adam Caldwell 2011-10-05 22:16:39 UTC
---
Thank you for the great feedback. The salt isn't part of the users password. If
you look at the digest method that's used to generate the encoded password, it
is 4 random bytes.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #2 from Christopher Schultz
2011-10-05 21:58:49 UTC ---
I like this idea (and have been considering it for a while), but I don't like
the implementation due to the following reasons:
1. Uses part of the password as the salt, w
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Christopher Schultz changed:
What|Removed |Added
Attachment #27699|0 |1
is patch|
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
Adam Caldwell changed:
What|Removed |Added
Summary|Tomcat does not support |Tomcat does not support
26 matches
Mail list logo