You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Tim Funk <fu...@joedog.org> on 2002/06/28 19:56:09 UTC

Netscape Directory Server vs JNDIRealm (password woes)

I am using Netscape Directory Server and was unable to get it to work 
with the JNDIRealm (because of password formats). I finally hacked a 
solution together but was wondering if there were better suggestions.

Quick background:

in JNDIRealm.compareCredentials(): (4.0.X and its seems 4.1.X also has 
this issue)
  if (hasMessageDigest()) {
      // Hex hashes should be compared case-insensitive
      validated = (digest(credentials).equalsIgnoreCase(password));
  } else
      validated = (digest(credentials).equals(password));

credentials is the password as entered by the user (still in plaintext). 
password is the value returned from LDAP. The password is digested via 
SHA1 coming out of LDAP.

The Problem:
digest() will use SHA1 but convert the string to a hex string. Coming 
out of Netscape - I am getting {SHA1} followed by the password in Base64 
encoding. Actually, I believe if the password is not cleartext, the 
password will be preceded by {ALGORTHM} but I cannot confirm that from 
the any kind of documenation.

In my hack, I have this code instead:
if (hasMessageDigest()) {
     //iPlant crap - is encoded base64 and crapified
     //Assuming SHA1  - and server.xml told this
     if (password.startsWith("{")) {
         password = password.substring(5);
         md.reset();
         md.update(credentials.getBytes());
         String b64 = new 
String(org.apache.catalina.util.Base64.encode(md.digest()));
         validated = (b64.equals(password));
     } else {
         // Hex hashes should be compared case-insensitive
         validated = (digest(credentials).equalsIgnoreCase(password));
     }
} else {
     validated = (digest(credentials).equals(password));
}

I really don't like the code above either, and was wondering if anyone 
else had a better idea? Whatever solution occurs may also have an effect 
on RealmBase.java. I am willing to code any solution if a good one is 
presented.

Tim Funk


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>