Chris, > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Tuesday, August 24, 2021 5:52 PM > To: users@tomcat.apache.org > Subject: Re: UserDatabaseRealm and DIGEST > > Jon, > > On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote: > >> -----Original Message----- > >> From: Mark Thomas <ma...@apache.org> > >> Sent: Tuesday, August 24, 2021 11:41 AM > >> To: users@tomcat.apache.org > >> Subject: Re: UserDatabaseRealm and DIGEST > >> > >> On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote: > >>> Ok, so I've been reading thru the documentation on DIGEST but not > >> entirely sure I have it right. What is the best practice for DIGEST > >> and what algorithms are allowed, such as is sha-256 allowed? > >> > >> First, a question of clarification. > >> > >> Do you mean HTTP DIGEST authentication or do you mean storing > >> password hashes rather than the actual passwords in the > UserDatabaseRealm? > >> > >> Mark > > > I mean the Password Hashes rather than the actual password for the > UserDatabaseRealm. > > You can use any algorithm that Java's MessageDigest supports. > > I would recommend against using "Digest" credential storage and instead use > something more secure such as PBKDF2, which Tomcat also supports. > > You might find this informative: > https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm > l*latest-credential- > security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A > sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$ > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
In this case I am wanting to know the proper way to use DIGEST as we have some folks with vendor applications that Use Tomcat that insist on using the UserDatabaseRealm. I agree that using LDAP or something other is the better way to go. We typically do NOT allow the use of the UserDatabaseRealm unless the passwords are hashed with DIGEST. I just want to make sure that when we check for compliance, we are approving the various means. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
