It's not really encryption, just a one way hash function. So you can't
recover the password from the text in the password file. To check validity
you hash the provided password and compare with the stored hash. In theory
you could have a collision, but it's the same order of complexity, or
harder, to construct a string that hashes to a given target, as it is to try
all passwords of a given length.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 5:47 PM
To: Mathias Herberts
Cc: [EMAIL PROTECTED]
Subject: Re: [PATCH] encryption support in SimpleRealm.java
Hi Mathias,
Your patch is interesting and is resolving a clear problem.
On the other side, I would propose you create another module ( let's say
CryptedRealm ? ). SimpleRealm should remain "simple".
What's missing is the ability to store the passwords ( how do you plan to
encrypt ? a passwd tool ? ). Maybe we can add an admin page to manage
users and passwords, and then we'll have all the elements for using
crypted passwords.
I would also propose to include this new module in 3.3.
Costin
On Fri, 9 Feb 2001, Mathias Herberts wrote:
> Hi,
>
> I've been playing around with Tomcat 3.2.1 as we have several production
> servers using it and was concerned by the way the passwords were stored
> in tomcat-users.xml.
>
> The included patch modifies SimplesRealm.java
> (org.apache.tomcat.request.SimpleRealm) so it can correctly manage a
> tomcat-users.xml file whose passwords are encrypted.
>
> The method used to handle encryption is java.security.MessageDigest,
> therefore all algorithms known by this class (without the use of an
> external Provider) can be used, mainly MD5 and SHA.
>
> All passwords in tomcat-users.xml must be encrypted using the same
> algorithm (or no algorithm if so choosen). The algorithm of choice is
> specified in the declaration of
> the SimpleRealm RequestInterceptor as follows:
>
> <RequestInterceptor
> className="org.apache.tomcat.request.SimpleRealm"
> debug="1" crypt="MD5" />
>
> The SimpleRealm request interceptor then expects all tomcat-users.xml
> passwords to be
> encrypted using the specified algorithm, comparison is case insensitive
> (for the encrypted part).
>
> If you choose not to use encryption, simply omit the crypt attribute in
> the RequestInterceptor element.
>
> As I am not a subscriber of the tomcat-dev mailing list please CC me
> when replying to my message.
>
> Any comment welcome about this patch.
>
> Best regards,
>
> Mathias Herberts.
--
Costin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
<><><><><><><><><><><><><><><><><><><><><>This electronic mail transmission
may contain confidential information and is intended only for the person(s)
named. Any use, copying or disclosure by any other person is strictly
prohibited. If you have received this transmission in error, please notify
the sender via e-mail. <><><><><><><><><><><><><><><><><><><><><>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
