Encryption: There is only one way to encrypt passwords if you are not using SSL. That is to use Paj's JavaScript module available here: http://pajhome.org.uk/crypt/md5/ Although the Tomcat Realm does have an MD5 flag which you can set to encrypt the passwords being sent to it this is too late as the passwords have already been sent in the clear over the internet to your server. The only use for this is when you are accessing a server on which the passwords are stored in MD5 encrypted format and you don't care about the network. You may also be told that you can use a Digest login instead of a Form login or Basic Login but again you have a problem: Digest logins are only available in IE so if you know all your users are definitely only using IE then go ahead, it will be doing the same job as the JavaScript i.e. encrypting before sending down the wire. In order to encrypt the passwords in the first place you can use Java1.4's java.security.* package or you can use Catalina's org.apache.catalina.realm.RealmBase which can be used at the command line thus:
C:\>java org.apache.catalina.realm.RealmBase -a MD5 mypassword or you can use the JavaScript. If you have the passwords in an Oracle Database you can also use the Oracle Function DBMS_OBFUSCATION_TOOLKIT.MD5() by writing an oracle Function something like this: CREATE OR REPLACE FUNCTION get_md5 (plaintext IN VARCHAR2) RETURN VARCHAR2 IS test VARCHAR2(16); BEGIN test:=DBMS_OBFUSCATION_TOOLKIT.MD5(INPUT_STRING=>plaintext); RETURN test; END get_md5; / Note: using a function like this you can create a view of the passwords table in your database which would mean that though your passwords appear hashed to Tomcat, they are actually still visible to you! The servlet invoker /servlet/* If you are adding the servlets to your web.xml file then you do not need to use the servlet invoker anywhere and hence do not need to call it using /servlet/. Whether or not you add the servlets to the same package is a programming decision which has to do with what the servlets do and whether they do the same thing as the other classes in that package. This has no bearing on the administrative decisions of how to keep the server secure. Hope that all helps. Andoni. ----- Original Message ----- From: "Ben Bookey" <[EMAIL PROTECTED]> To: "Tomcat User List" <[EMAIL PROTECTED]> Sent: Thursday, August 05, 2004 9:02 AM Subject: Tomcat Realm--> pasword encryption & servlet location in a webApp > Dear list, > > 2 questions > > 1) I think I remember reading somewhere that there was a .bat batch file > which we could run > on production machines, so that passwords are encrypted. Can anyone > enlighten ? > > 2) Whats the best configuration mechanism for my servlets? I think its > better to add the > the servlets to my com.mycompany.myapp package (or?), BUT, is it a security > flaw when > I set in my app, the <url-pattern> begininning with /servlet/* (see below > example). I again have read that the > servlet url-pattern should not begin with /servlet > > <servlet-mapping> > <servlet-name>servletName</servlet-name> > <url-pattern>/servlet/servletName</url-pattern> > </servlet-mapping> > > regards. > > Ben --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
