You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/10/22 12:22:17 UTC
svn commit: r1633589 - in /tomcat/trunk:
java/org/apache/catalina/realm/RealmBase.java webapps/docs/realm-howto.xml
Author: markt
Date: Wed Oct 22 10:22:16 2014
New Revision: 1633589
URL: http://svn.apache.org/r1633589
Log:
Modify the handling of defaults for -a and -h as per kkolinko's review.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
tomcat/trunk/webapps/docs/realm-howto.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1633589&r1=1633588&r2=1633589&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Wed Oct 22 10:22:16 2014
@@ -80,6 +80,9 @@ public abstract class RealmBase extends
new ArrayList<>();
static {
+ // Order is important since it determines the search order for a
+ // matching handler if only an algorithm is specified when calling
+ // main()
credentialHandlerClasses.add(MessageDigestCredentialHandler.class);
credentialHandlerClasses.add(SecretKeyCredentialHandler.class);
}
@@ -1462,11 +1465,15 @@ public abstract class RealmBase extends
*/
public static void main(String args[]) {
- String algorithm = "SHA-512";
- String encoding = Charset.defaultCharset().name();
+ // Use negative values since null is not an option to indicate 'not set'
int saltLength = -1;
int iterations = -1;
int keyLength = -1;
+ // Default
+ String encoding = Charset.defaultCharset().name();
+ // Default values for these depend on whether either of them are set on
+ // the command line
+ String algorithm = null;
String handlerClassName = null;
if (args.length == 0) {
@@ -1511,6 +1518,19 @@ public abstract class RealmBase extends
argIndex += 2;
}
+ // Determine defaults for -a and -h. The rules are more complex to
+ // express than the implementation:
+ // - if neither -a nor -h is set, use SHA-512 and
+ // MessageDigestCredentialHandler
+ // - if only -a is set the built-in handlers will be searched in order
+ // (MessageDigestCredentialHandler, SecretKeyCredentialHandler) and
+ // the first handler that supports the algorithm will be used
+ // - if only -h is set no default will be used for -a. The handler may
+ // or may nor support -a and may or may not supply a sensible default
+ if (algorithm == null && handlerClassName == null) {
+ algorithm = "SHA-512";
+ }
+
CredentialHandler handler = null;
if (handlerClassName == null) {
Modified: tomcat/trunk/webapps/docs/realm-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/realm-howto.xml?rev=1633589&r1=1633588&r2=1633589&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/trunk/webapps/docs/realm-howto.xml Wed Oct 22 10:22:16 2014
@@ -209,13 +209,42 @@ techniques are supported:</p>
not specified in web.xml, the default value of <code>Authentication
required</code> is used.</p>
-<p>Non-ASCII usernames and/or passwords are supported using</p>
+<p>Usernames and/or passwords using encodings other than the platform default
+are supported using</p>
<source>CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} -e {encoding} {input}</source>
-<p>but care is required to ensure that the non-ASCII input is
-correctly passed to the digester.
-The digester returns <code>{input}:{digest}</code>. If the input appears
-corrupted in the return, the digest will be invalid.</p>
-
+<p>but care is required to ensure that the input is correctly passed to the
+digester. The digester returns <code>{input}:{digest}</code>. If the input
+appears corrupted in the return, the digest will be invalid.</p>
+
+<p>The full syntax of <code>CATALINA_HOME/bin/digest.[bat|sh]</code> is:</p>
+<source>CATALINA_HOME/bin/digest.[bat|sh] [-a <algorithm>] [-e <encoding>]
+ [-i <iterations>] [-s <salt-length>] [-k <key-length>]
+ [-h <handler-class-name>] <credentials>
+</source>
+<ul>
+<li><b>-a</b> - The algorithm to use to generate the stored
+ credential. If not specified, the default for the handler will
+ be used. If neither handler nor algorithm is specified then a
+ default of <code>SHA-512</code> will be used</li>
+<li><b>-e</b> - The encoding to use for any byte to/from character
+ conversion that may be necessary. If not specified, the
+ system encoding (<code>Charset#defaultCharset()</code>) will
+ be used.</li>
+<li><b>-i</b> - The number of iterations to use when generating the
+ stored credential. If not specified, the default for the
+ CredentialHandler will be used.</li>
+<li><b>-s</b> - The length (in bytes) of salt to generate and store as
+ part of the credential. If not specified, the default for
+ the CredentialHandler will be used.</li>
+<li><b>-k</b> - The length (in bits) of the key(s), if any, created while
+ generating the credential. If not specified, the default
+ for the CredentialHandler will be used.</li>
+<li><b>-h</b> - The fully qualified class name of the CredentialHandler
+ to use. If not specified, the built-in handlers will be
+ tested in turn (MessageDigestCredentialHandler then
+ SecretKeyCredentialHandler) and the first one to accept the
+ specified algorithm will be used.</li>
+</ul>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org