Re: Alternate password encyption code?

Sun, 01 Jun 2003 02:34:17 -0700

Jeff Sexton wrote:
On Thu, 29 May 2003, Raible, Matt wrote:

Why don't you just have the JDBCRealm do it - add digest="SHA". 


I need something other than SHA, I need to use my own custom code for an
encyrption method of my own that is not provided by JDBCRealm


To programmatically do it using form-based authentication, I've used a
LoginServlet that's mapped to "auth" in my login.jsp's form.  In this
servlet, I encrypt the password and redirect to "j_security_check" - is that
what you're looking for?



Maybe.  I'll do some reading about form-based authentication.  I'm not
sure.

I'm after this because I already have set up a JDBCRealm based system,
with BASIC authentication, and SHA, under Tomcat for both servlets and
cocoon stuff.  Now I want to tie this together with another application
that encypts passwords differently from any method available in JDBCRealm.

I have the code for the encyption.  If I could simply drop this code into
the user validation JDBCRealm does for me in Tomcat, it'd be great because
the security would all work and I wouldn't have to create any
user/password management pages of my own.

Based on the documentation here

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords

and a quick look at the sources here

http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src/
share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/plain

it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here
http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA

You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes.


Phil




If I can do this, I can tie Tomcat authentication to the password system
my company has on other systems.

Any tips are helpful! I'm a little lost with this.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to