You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/09/24 06:46:22 UTC
DO NOT REPLY [Bug 45871] New: Support for salted and digested
patches in DataSourceRealm
https://issues.apache.org/bugzilla/show_bug.cgi?id=45871
Summary: Support for salted and digested patches in
DataSourceRealm
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: All
Status: NEW
Keywords: PatchAvailable
Severity: enhancement
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: brandond@alum.mit.edu
Created an attachment (id=22627)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22627)
Patch for DataSourceRealm (trunk)
Simple hashing of passwords stored in databases is no longer sufficient
security for passwords. The root of the issue is that users are bad at
remembering strong passwords, so they choose weak ones. Weak passwords when
hashed can be reversed using available rainbow tables and cracking software. To
combat this, passwords should be uniquely "salted" before being hashed and
stored in the database.
The attached patch enhances DataSourceRealm to allow it to authenticate against
a salted digested password. If configured to use salt, the user's salt is
queried from the database and then combined with the user's provided
credentials using a configurable MessageFormat before digesting. Authentication
proceeds otherwise unchanged.
A similar patch could, and arguably should, be applied to JDBCRealm, but based
on some discussion on the list about deprecating JDBCRealm (and because I don't
use JDBCRealm personally), I did not work on JDBCRealm. I would be happy to
port this patch to JDBCRealm if that's desired.
Limitation(s):
This patch does not impact the behavior of the RFC 2069 authentication method
in RealmBase.
If/when this patch is accepted, the documentation for DataSourceRealm will need
to be updated. I'll gladly volunteer to do those updates as well.
http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Rainbow_table
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45871] Support for salted and digested patches in
DataSourceRealm
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45871
--- Comment #1 from Wesley <we...@gmail.com> 2010-08-27 14:00:42 EDT ---
I'd love to see the salt feature applied.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45871] Support for salted and digested patches in
DataSourceRealm
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45871
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #2 from Mark Thomas <ma...@apache.org> 2011-10-28 22:14:06 UTC ---
The duplicate has a more complete (covers more realms) and less invasive
(doesn't require an additional column) patch.
*** This bug has been marked as a duplicate of bug 51966 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org