You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Tim Funk <fu...@joedog.org> on 2002/06/28 19:56:09 UTC
Netscape Directory Server vs JNDIRealm (password woes)
I am using Netscape Directory Server and was unable to get it to work
with the JNDIRealm (because of password formats). I finally hacked a
solution together but was wondering if there were better suggestions.
Quick background:
in JNDIRealm.compareCredentials(): (4.0.X and its seems 4.1.X also has
this issue)
if (hasMessageDigest()) {
// Hex hashes should be compared case-insensitive
validated = (digest(credentials).equalsIgnoreCase(password));
} else
validated = (digest(credentials).equals(password));
credentials is the password as entered by the user (still in plaintext).
password is the value returned from LDAP. The password is digested via
SHA1 coming out of LDAP.
The Problem:
digest() will use SHA1 but convert the string to a hex string. Coming
out of Netscape - I am getting {SHA1} followed by the password in Base64
encoding. Actually, I believe if the password is not cleartext, the
password will be preceded by {ALGORTHM} but I cannot confirm that from
the any kind of documenation.
In my hack, I have this code instead:
if (hasMessageDigest()) {
//iPlant crap - is encoded base64 and crapified
//Assuming SHA1 - and server.xml told this
if (password.startsWith("{")) {
password = password.substring(5);
md.reset();
md.update(credentials.getBytes());
String b64 = new
String(org.apache.catalina.util.Base64.encode(md.digest()));
validated = (b64.equals(password));
} else {
// Hex hashes should be compared case-insensitive
validated = (digest(credentials).equalsIgnoreCase(password));
}
} else {
validated = (digest(credentials).equals(password));
}
I really don't like the code above either, and was wondering if anyone
else had a better idea? Whatever solution occurs may also have an effect
on RealmBase.java. I am willing to code any solution if a good one is
presented.
Tim Funk
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>