DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6402>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6402 JNDIRealm, LDAP and SHA passwords vs {SHA}Base64Coded= passwords Summary: JNDIRealm, LDAP and SHA passwords vs {SHA}Base64Coded= passwords Product: Tomcat 4 Version: 4.0.2 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] This is for a case of digest="SHA" set in JNDIRealm configuration during connections to a Netscape LDAP Directory that stores passwords in encrypted form. Problem: The Tomcat ( JNDIRealm.java ) uses the next code to check password, retrieved from LDAP server in JNDIRealm.java: validated = (digest(credentials).equalsIgnoreCase(valueString)); The Netscape LDAP server stores passwords and returns them to Tomcat in a {SHA} Base64Encoded= form - take a look at URL http://developer.netscape.com/tech/overview/index.html? content=/docs/technote/ldap/pass_sha.html Solution: I propose to modify code of JNDIRealm so it will use some thing like this boolean validated = false; if (hasMessageDigest()) { if (valueString.startsWith("{SHA}") && Base64.isBase64 (valueString.substring(5))) { String testValue = HexUtils.convert( Base64.decode(valueString.substring(5).getBytes()) ); validated = (digest(credentials).equalsIgnoreCase(testValue)); } else { validated = (digest(credentials).equalsIgnoreCase(valueString)); } } else validated = (digest(credentials).equals(valueString)); instead of old code (JNDIRealm.java version 1.5 starts from line 754) boolean validated = false; if (hasMessageDigest()) { // Hex hashes should be compared case-insensitive validated = (digest(credentials).equalsIgnoreCase(valueString)); } else validated = (digest(credentials).equals(valueString)); wbr, iit. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>