Nice! Thanks!
Jeff Sexton The ODS Companies [EMAIL PROTECTED] On Tue, 3 Jun 2003, Extance, Paul wrote: > We've already done this as part of the Jaffa (jaffa.sourceforge.net) open > source project. For more details see... > > The Source Code @ > http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o > rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEAD&content-type=text/vn > d.viewcvs-markup > > The Jaffa Site @ http://jaffa.sf.net > > The JAR, if you want the easy way... is attached! > > This has been tested with most tomcat releases from 3.3a upto 4.1.24 and > works. It supports two types of encryption signatures > > String xxx(String password) and > String xxx(String password, String Userid) in case you want to use their > user id as part of the key for the encryption > > You provide the class name and the method name in server.xml, and it looks > for either method 1 or 2 and uses that to encrypt the password, before > comparing it with the one in the database. It does not try to decrypt the > database password, so a one way encryption algorithm can be supported. > > This Realm also allow you some other features like extending the where > clause for the retrieve on user records, and the select for how to read the > roles (incase you don't want to create additional views!) > > An example of how it can be used in server.xml is... > > <Realm > className = "org.jaffa.tomcat.realm.JDBCEncryptionRealm" > debug = "0" > driverName = "oracle.jdbc.driver.OracleDriver" > connectionURL = "jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb" > connectionName = "mydbuser" > connectionPassword = "mydbpass" > userTable = "users" > userNameCol = "user_id" > userCredCol = "password" > userClause = "password is not null and user_status='Active'" > userRoleTable = "user_roles" > roleNameCol = "role_name" > encryptionClass = "com.mycompany.services.Encryption" > encryptionMethod = "encrypt" > /> > > Just make sure you but the attached JAR, and your JAR in the /server/lib > directory, and put the database driver JAR(s) in the same place or in > /common/lib > > Hope this helps... > > Paul Extance > > -----Original Message----- > From: Phil Steitz [mailto:[EMAIL PROTECTED] > Sent: Saturday, May 31, 2003 9:25 AM > To: Tomcat Users List > Subject: Re: Alternate password encyption code? > > Jeff Sexton wrote: > > On Thu, 29 May 2003, Raible, Matt wrote: > > > >>Why don't you just have the JDBCRealm do it - add digest="SHA". > > > > > > I need something other than SHA, I need to use my own custom code for an > > encyrption method of my own that is not provided by JDBCRealm > > > > > >>To programmatically do it using form-based authentication, I've used a > >>LoginServlet that's mapped to "auth" in my login.jsp's form. In this > >>servlet, I encrypt the password and redirect to "j_security_check" - is > that > >>what you're looking for? > > > > > > Maybe. I'll do some reading about form-based authentication. I'm not > > sure. > > > > I'm after this because I already have set up a JDBCRealm based system, > > with BASIC authentication, and SHA, under Tomcat for both servlets and > > cocoon stuff. Now I want to tie this together with another application > > that encypts passwords differently from any method available in JDBCRealm. > > > > I have the code for the encyption. If I could simply drop this code into > > the user validation JDBCRealm does for me in Tomcat, it'd be great because > > the security would all work and I wouldn't have to create any > > user/password management pages of my own. > > Based on the documentation here > > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 > Passwords > > and a quick look at the sources here > > http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src > / > share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/pl > ain > > it does not look to me like you are going to be able to do this without > hacking the JDBC Realm implementation. The tomcat JDBC Realm > implementation supports digested (*not* encrytped) passwords using > java.security.MessageDigest to do the hashing. This means that the > hashing must be performed using one of the standard algorithms specified > here > http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA > > You are probably best off going with one of the approaches that Matt has > outlined if you want to serve login pages from the tomcat nodes. > > > Phil > > > > > > > If I can do this, I can tie Tomcat authentication to the password system > > my company has on other systems. > > > > Any tips are helpful! I'm a little lost with this. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
