You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/11/02 16:32:12 UTC

DO NOT REPLY [Bug 37334] New: - Realm digest property not aligned with the administration console functionalities

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37334>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37334

           Summary: Realm digest property not aligned with the
                    administration console functionalities
           Product: Tomcat 5
           Version: 5.0.31
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: andrea.pompili@inwind.it
                CC: andrea.pompili@inwind.it


I noticed that if you set up the "digest" property on a Authentication Realm 
(Memory, LDAP or whatever you want) you have to put the password digested 
directly in the repository but you can't use the administration console because 
the code allows the correct use of the digested password only in the 
authenticate method (RealmBase.java) and not in in the addUser one or in the 
GenericPrincipal class.
The effect is that (for example using a Memory local database) the password is 
set in clear on the configuration file (tomcat-users.xml) and the 
authentication fails because the system try to chek it after digesting...

Here,s the differences:

    public Principal authenticate(String username, String credentials) {
        GenericPrincipal principal = (GenericPrincipal)principals.get(username);
        boolean validated = false;
        if (principal != null)
            if (hasMessageDigest())  ....... etc etc (password is checked 
encrypted)


    void addUser(String username, String password, String roles) {
           ....

           GenericPrincipal principal = new GenericPrincipal(this, username, 
password, list);
           principals.put(username, principal);

           ... (password now is in clear)
  
    }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org