You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/10/08 00:31:39 UTC
DO NOT REPLY [Bug 31592] New: -
storage format of digested realm passwords depends on default charset
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31592>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31592
storage format of digested realm passwords depends on default charset
Summary: storage format of digested realm passwords depends on
default charset
Product: Tomcat 5
Version: 5.0.0
Platform: Other
OS/Version: Other
Status: NEW
Severity: Minor
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: hontvari3@solware.com
The documentation specifies the digest algorithms which can be used to avoid
storing plain text passwords. Unfortunately passwords are strings and the input of
digest algorithms are bytes, but the conversion between the two - the charset
encoding to be used - is not specified.
Looking at the source of org.apache.tomcat.modules.aaa.RealmBase it turns out that
it uses the system default charset encoding, which is usually a bad idea for a
server software. E.g. moving the server to another machine or using a second
server with different locale renders the user database invalid.
The best solution would be to explicitly specify an encoding, e.g. UTF-8. But at
this moment this may break existing configurations. Another solution is to add an
additional parameter to each realm implementation and the command line utility, in
which the administrator can specify the encoding. The default of this parameter
must be "encode using the platform's default charset", in order to not break
compatiblity.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org