You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2007/05/03 21:02:35 UTC

Re: [OT] User-password from the HttpServletRequest

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sam,

sebbo@gmx.ch wrote:
> I saw, that I can get the password via the Principle: The Tomcat
> server has his own implementation of Principle: GenericPrinciple
> which holds all the stuff (pw, roles, etc).

Wow, Tomcat keeps the user's password lying around in memory? That's
unfortunate... :(

> Does somebody know a good encryption/decryption algorithm which works
> only with a password (String)?

There are many symmetric encryption algorithms. DES, 3DES ("Triple
DES"), AES, and Blowfish are quire popular. Java supports many of these
algorithms out of the box. Figuring out how to use them can be a
challenge, so here's some of the things I've learned.

With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following
ciphers available from the "SunJCE version 1.5" provider:

AES
Blowfish
DES
3DES

Each of these can be used with a simple password. You'll need to massage
your strings to get them into the proper format, though. Here is some
helpful code.

In order to do anything with a cipher, you'll need a key. The easiest
way to create a key is like this:

byte[] password = ...;
String algorithm = ...;  // "AES", "3DES", etc.
Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password,
                                                        algorithm);

Now that you have a key (which can be used for decryption, btw), you can
use a cipher:

byte[] clearText = ...; // convert your data-to-encrypt to bytes
Cipher cipher = javax.crypto.Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] cipherText = cipher.doFinal(clearText);

Decryption is the same, just that you use DECRYPT_MODE when you call
Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS.

A few other notes:

* Be careful about converting Strings to and from byte arrays. Make sure
that you consistently use the same character encoding (UTF-8 is always a
good bet) or your efforts will end in tears.

* If you want to store your encrypted data in a database, you have to
decide if you want to store binary byte data (BLOB) or character data
(CLOB). BLOBs are probably smaller (keep reading) but not as easy to
"read" when observing data in the database. CLOBs will take more space
but are easier to "read" when looking at your db. If you choose to use a
CLOB, then you'll need to convert the cipher text into a readable
format. Base64 encoding is often chosen because it results in 4 bytes of
output for every 3 bytes of input, so you "waste" only 1/3 extra
storage. Compare that to a "character binary encoding" (my term) where
you have 1 byte -> 2 character conversion (results look like "1a2b3c"
etc.) which doubles your data, which sucks.

This is only one way to interact with Java's crypto APIs. I'm sure there
are other ways, but after a lot of reading this is what I came up with.

Hope that helps,
- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6
spL4xNqgsIAuKgHBLnD3KFo=
=RssM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] User-password from the HttpServletRequest

Posted by se...@gmx.ch.

Thanks Chris, it helps a lot for me :-)
Very useful informations.


-------- Original-Nachricht --------
Datum: Thu, 03 May 2007 15:02:35 -0400
Von: Christopher Schultz <ch...@christopherschultz.net>
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: Re: [OT] User-password from the HttpServletRequest

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sam,
> 
> sebbo@gmx.ch wrote:
> > I saw, that I can get the password via the Principle: The Tomcat
> > server has his own implementation of Principle: GenericPrinciple
> > which holds all the stuff (pw, roles, etc).
> 
> Wow, Tomcat keeps the user's password lying around in memory? That's
> unfortunate... :(
> 
> > Does somebody know a good encryption/decryption algorithm which works
> > only with a password (String)?
> 
> There are many symmetric encryption algorithms. DES, 3DES ("Triple
> DES"), AES, and Blowfish are quire popular. Java supports many of these
> algorithms out of the box. Figuring out how to use them can be a
> challenge, so here's some of the things I've learned.
> 
> With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following
> ciphers available from the "SunJCE version 1.5" provider:
> 
> AES
> Blowfish
> DES
> 3DES
> 
> Each of these can be used with a simple password. You'll need to massage
> your strings to get them into the proper format, though. Here is some
> helpful code.
> 
> In order to do anything with a cipher, you'll need a key. The easiest
> way to create a key is like this:
> 
> byte[] password = ...;
> String algorithm = ...;  // "AES", "3DES", etc.
> Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password,
>                                                         algorithm);
> 
> Now that you have a key (which can be used for decryption, btw), you can
> use a cipher:
> 
> byte[] clearText = ...; // convert your data-to-encrypt to bytes
> Cipher cipher = javax.crypto.Cipher.getInstance(algorithm);
> cipher.init(Cipher.ENCRYPT_MODE, key);
> byte[] cipherText = cipher.doFinal(clearText);
> 
> Decryption is the same, just that you use DECRYPT_MODE when you call
> Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS.
> 
> A few other notes:
> 
> * Be careful about converting Strings to and from byte arrays. Make sure
> that you consistently use the same character encoding (UTF-8 is always a
> good bet) or your efforts will end in tears.
> 
> * If you want to store your encrypted data in a database, you have to
> decide if you want to store binary byte data (BLOB) or character data
> (CLOB). BLOBs are probably smaller (keep reading) but not as easy to
> "read" when observing data in the database. CLOBs will take more space
> but are easier to "read" when looking at your db. If you choose to use a
> CLOB, then you'll need to convert the cipher text into a readable
> format. Base64 encoding is often chosen because it results in 4 bytes of
> output for every 3 bytes of input, so you "waste" only 1/3 extra
> storage. Compare that to a "character binary encoding" (my term) where
> you have 1 byte -> 2 character conversion (results look like "1a2b3c"
> etc.) which doubles your data, which sucks.
> 
> This is only one way to interact with Java's crypto APIs. I'm sure there
> are other ways, but after a lot of reading this is what I came up with.
> 
> Hope that helps,
> - -chris
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6
> spL4xNqgsIAuKgHBLnD3KFo=
> =RssM
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org