You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/11/02 16:32:12 UTC
DO NOT REPLY [Bug 37334] New: -
Realm digest property not aligned with the administration console functionalities
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37334>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37334
Summary: Realm digest property not aligned with the
administration console functionalities
Product: Tomcat 5
Version: 5.0.31
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: andrea.pompili@inwind.it
CC: andrea.pompili@inwind.it
I noticed that if you set up the "digest" property on a Authentication Realm
(Memory, LDAP or whatever you want) you have to put the password digested
directly in the repository but you can't use the administration console because
the code allows the correct use of the digested password only in the
authenticate method (RealmBase.java) and not in in the addUser one or in the
GenericPrincipal class.
The effect is that (for example using a Memory local database) the password is
set in clear on the configuration file (tomcat-users.xml) and the
authentication fails because the system try to chek it after digesting...
Here,s the differences:
public Principal authenticate(String username, String credentials) {
GenericPrincipal principal = (GenericPrincipal)principals.get(username);
boolean validated = false;
if (principal != null)
if (hasMessageDigest()) ....... etc etc (password is checked
encrypted)
void addUser(String username, String password, String roles) {
....
GenericPrincipal principal = new GenericPrincipal(this, username,
password, list);
principals.put(username, principal);
... (password now is in clear)
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org