All,
I am not in the dev. mailing list but wanted some feedback first on one
point I came across in tomcat 4.0.1
I have implemented a Security Provider and a UnixCryptDigest in order to
treat passwords on Solaris 8 (we are using OpenLDAP and the PAM
framework of the OS). After long research we could not find a way to
change the passwords generation (MD5 vs Crypt on Solaris 8). So we are
still using Crypt.
As I was designing and implementing a clean solution to add such digest,
I am facing a problem in the RealmBase where the salt is not taken care
of. This salt is not tied to Crypt but can be used for any algorythm.
I am proposing the following:
1) Add a getSaltSize and setSaltSize in the RealmBase class.
2) Change the JNDIRealm (and later on the DB Realm, ...) to add a few
lines of code:
- If there is a digest then
- If the saltSize (n) is > 0 then extract the n first bytes from
the encoded password, prepend it to the digest (before appending the
clear password)
3) Add my Crypt Digest to the source tree of Tomcat 4 or just leave this
one out. If it needs to be added, a sub-package security will make sense.
Beside this, I was wondering if someone was leading the JAAS effort in
Tomcat 4. I have done a lot of work around it (mainly recoded the full
framwork compliant with the 1.4 implementation) with a nice XML based
JAAS Configuration class.
Could you send me some feedbacks on the Salt issue ? If it needs to be
added, ... the process to follow in order to add it if needed, ....
Cheers
Olivier
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
