The JDBCRealm only compares password but you can specify in the web.xml the algorithm you used in your table's column's passwords, it must be any algorithm that extends java.security.something, I don't remember very well, so, the answer is that it really encrypts.
Guido. -----Original Message----- From: Michael Wentzel [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 26, 2001 5:22 PM To: 'Tomcat Users List' Subject: RE: Does security realms encrypt the passwords? > I'm using JDBC realms with Tomcat4.0 with a HTML form. My > question is, does > the password get sent over the internet in plain text format or is it > hashed/encrypted/digested in some way? > > A good idea would be to digest it together with a random > variable and the > session Id using Md5 for example. Otherwise the password will > be sent over > the internet in plain text format for any hacker to grab it... The plain ole JDBCRealm does no encryption. You'll have to extend JDBCRealm to do any encryption. JDBCRealm itself is only the server side code it does not have anything to do with the way the text is sent in the request. --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
