RE: tomcat security, JDBCRealm, SimpleRealm readable passwords

[Michael Wentzel <Mi...@aswethink.com>]

> Hi,
> I've set up tomcat 3.3 and almost everything works fine. 
> I've set up a mySQL database 'authority' to authenticate against
> in a simple test webapplication. And now I have the following question
> and maybe someone can help me.
> I don't like having passwords on my filesystem readable to people
> who have fileaccess. If I'm using SimpleRealm I have users/passwords
> in clear text in a file and thats not secure. If I use
> JDBCRealm I can store encrypted passwords in the table, but I don't
> know how tomcat can read them. So in the table I have to use
> passwords that are not encrypted.
>  On the other hand if I let tomcat
> connect to the database as user 'tomcat' for example with some
> password anyone who will find out about the password will
> be able to connect to the database and read all the authentication
> information without a problem. 
> So my question is:
> Is there anyway to use password encryption in tomcats
> authentication mechanism?
> I'd greatly appreciate any help,

None of these methods really support credential encryption in their current
state.  But as you may well know;) Tomcat is open source, therefore if you
take a look at org.apache.tomcat.request.JDBCRealm.java in the src tree
and the method authenticate(String, String) you will see where users are
authenticated.  You could modify this class in any manner you see fit to
authenticate against encrypted passwords in the database table.  I was
actually planning on doing this myself for our use but haven't gotten to it
just yet.


---
Michael Wentzel
Software Developer
Software As We Think - http://www.aswethink.com