You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/10/08 00:31:39 UTC

DO NOT REPLY [Bug 31592] New: - storage format of digested realm passwords depends on default charset

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31592>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31592

storage format of digested realm passwords depends on default charset

           Summary: storage format of digested realm passwords depends on
                    default charset
           Product: Tomcat 5
           Version: 5.0.0
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: hontvari3@solware.com


The documentation specifies the digest algorithms which can be used to avoid 
storing plain text passwords. Unfortunately passwords are strings and the input of 
digest algorithms are bytes, but the conversion between the two - the charset 
encoding to be used - is not specified. 

Looking at the source of org.apache.tomcat.modules.aaa.RealmBase it turns out that 
it uses the system default charset encoding, which is usually a bad idea for a 
server software. E.g. moving the server to another machine or using a second 
server with different locale renders the user database invalid. 

The best solution would be to explicitly specify an encoding, e.g. UTF-8. But at 
this moment this may break existing configurations. Another solution is to add an 
additional parameter to each realm implementation and the command line utility, in 
which the administrator can specify the encoding. The default of this parameter 
must be "encode using the platform's default charset", in order to not break 
compatiblity.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org