Jon,
On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, August 24, 2021 11:41 AM
To: users@tomcat.apache.org
Subject: Re: UserDatabaseRealm and DIGEST
On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
Ok, so I've been reading thru the documentation on DIGEST but not
entirely sure I have it right. What is the best practice for DIGEST and what
algorithms are allowed, such as is sha-256 allowed?
First, a question of clarification.
Do you mean HTTP DIGEST authentication or do you mean storing password
hashes rather than the actual passwords in the UserDatabaseRealm?
Mark >
I mean the Password Hashes rather than the actual password for the
UserDatabaseRealm.
You can use any algorithm that Java's MessageDigest supports.
I would recommend against using "Digest" credential storage and instead
use something more secure such as PBKDF2, which Tomcat also supports.
You might find this informative:
https://tomcat.apache.org/presentations.html#latest-credential-security
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
