On Thu, 29 May 2003, Raible, Matt wrote:
Why don't you just have the JDBCRealm do it - add digest="SHA".
I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm
To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to "auth" in my login.jsp's form. In this servlet, I encrypt the password and redirect to "j_security_check" - is that what you're looking for?
Maybe. I'll do some reading about form-based authentication. I'm not sure.
I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm.
I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own.
Based on the documentation here
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords
and a quick look at the sources here
http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src/ share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/plain
it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here
http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA
You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes.
Phil
If I can do this, I can tie Tomcat authentication to the password system my company has on other systems.
Any tips are helpful! I'm a little lost with this.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]