You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Extance, Paul" <pa...@spirent.com> on 2003/06/03 20:39:35 UTC
RE: Alternate password encyption code?
We've already done this as part of the Jaffa (jaffa.sourceforge.net) open
source project. For more details see...
The Source Code @
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o
rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEAD&content-type=text/vn
d.viewcvs-markup
The Jaffa Site @ http://jaffa.sf.net
The JAR, if you want the easy way... is attached!
This has been tested with most tomcat releases from 3.3a upto 4.1.24 and
works. It supports two types of encryption signatures
String xxx(String password) and
String xxx(String password, String Userid) in case you want to use their
user id as part of the key for the encryption
You provide the class name and the method name in server.xml, and it looks
for either method 1 or 2 and uses that to encrypt the password, before
comparing it with the one in the database. It does not try to decrypt the
database password, so a one way encryption algorithm can be supported.
This Realm also allow you some other features like extending the where
clause for the retrieve on user records, and the select for how to read the
roles (incase you don't want to create additional views!)
An example of how it can be used in server.xml is...
<Realm
className = "org.jaffa.tomcat.realm.JDBCEncryptionRealm"
debug = "0"
driverName = "oracle.jdbc.driver.OracleDriver"
connectionURL = "jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb"
connectionName = "mydbuser"
connectionPassword = "mydbpass"
userTable = "users"
userNameCol = "user_id"
userCredCol = "password"
userClause = "password is not null and user_status='Active'"
userRoleTable = "user_roles"
roleNameCol = "role_name"
encryptionClass = "com.mycompany.services.Encryption"
encryptionMethod = "encrypt"
/>
Just make sure you but the attached JAR, and your JAR in the /server/lib
directory, and put the database driver JAR(s) in the same place or in
/common/lib
Hope this helps...
Paul Extance
-----Original Message-----
From: Phil Steitz [mailto:phil@steitz.com]
Sent: Saturday, May 31, 2003 9:25 AM
To: Tomcat Users List
Subject: Re: Alternate password encyption code?
Jeff Sexton wrote:
> On Thu, 29 May 2003, Raible, Matt wrote:
>
>>Why don't you just have the JDBCRealm do it - add digest="SHA".
>
>
> I need something other than SHA, I need to use my own custom code for an
> encyrption method of my own that is not provided by JDBCRealm
>
>
>>To programmatically do it using form-based authentication, I've used a
>>LoginServlet that's mapped to "auth" in my login.jsp's form. In this
>>servlet, I encrypt the password and redirect to "j_security_check" - is
that
>>what you're looking for?
>
>
> Maybe. I'll do some reading about form-based authentication. I'm not
> sure.
>
> I'm after this because I already have set up a JDBCRealm based system,
> with BASIC authentication, and SHA, under Tomcat for both servlets and
> cocoon stuff. Now I want to tie this together with another application
> that encypts passwords differently from any method available in JDBCRealm.
>
> I have the code for the encyption. If I could simply drop this code into
> the user validation JDBCRealm does for me in Tomcat, it'd be great because
> the security would all work and I wouldn't have to create any
> user/password management pages of my own.
Based on the documentation here
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20
Passwords
and a quick look at the sources here
http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src
/
share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/pl
ain
it does not look to me like you are going to be able to do this without
hacking the JDBC Realm implementation. The tomcat JDBC Realm
implementation supports digested (*not* encrytped) passwords using
java.security.MessageDigest to do the hashing. This means that the
hashing must be performed using one of the standard algorithms specified
here
http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA
You are probably best off going with one of the approaches that Matt has
outlined if you want to serve login pages from the tomcat nodes.
Phil
>
> If I can do this, I can tie Tomcat authentication to the password system
> my company has on other systems.
>
> Any tips are helpful! I'm a little lost with this.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Alternate password encyption code?
Posted by John Turner <to...@johnturner.com>.
Neat!
John
On Tue, 3 Jun 2003 11:39:35 -0700, Extance, Paul <pa...@spirent.com>
wrote:
> We've already done this as part of the Jaffa (jaffa.sourceforge.net) open
> source project. For more details see...
>
> The Source Code @
> http://cvs.sourceforge.net/cgi-
> bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o
> rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEAD&content-
> type=text/vn
> d.viewcvs-markup
>
> The Jaffa Site @ http://jaffa.sf.net
>
> The JAR, if you want the easy way... is attached!
>
> This has been tested with most tomcat releases from 3.3a upto 4.1.24 and
> works. It supports two types of encryption signatures
>
> String xxx(String password) and
> String xxx(String password, String Userid) in case you want to use their
> user id as part of the key for the encryption
>
> You provide the class name and the method name in server.xml, and it
> looks
> for either method 1 or 2 and uses that to encrypt the password, before
> comparing it with the one in the database. It does not try to decrypt the
> database password, so a one way encryption algorithm can be supported.
>
> This Realm also allow you some other features like extending the where
> clause for the retrieve on user records, and the select for how to read
> the
> roles (incase you don't want to create additional views!)
>
> An example of how it can be used in server.xml is...
>
> <Realm
> className = "org.jaffa.tomcat.realm.JDBCEncryptionRealm"
> debug = "0"
> driverName = "oracle.jdbc.driver.OracleDriver"
> connectionURL = "jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb"
> connectionName = "mydbuser"
> connectionPassword = "mydbpass"
> userTable = "users"
> userNameCol = "user_id"
> userCredCol = "password"
> userClause = "password is not null and user_status='Active'"
> userRoleTable = "user_roles"
> roleNameCol = "role_name"
> encryptionClass = "com.mycompany.services.Encryption"
> encryptionMethod = "encrypt"
> />
>
> Just make sure you but the attached JAR, and your JAR in the /server/lib
> directory, and put the database driver JAR(s) in the same place or in
> /common/lib
>
> Hope this helps...
>
> Paul Extance
>
> -----Original Message-----
> From: Phil Steitz [mailto:phil@steitz.com] Sent: Saturday, May 31, 2003
> 9:25 AM
> To: Tomcat Users List
> Subject: Re: Alternate password encyption code?
>
> Jeff Sexton wrote:
>> On Thu, 29 May 2003, Raible, Matt wrote:
>>
>>> Why don't you just have the JDBCRealm do it - add digest="SHA".
>>
>>
>> I need something other than SHA, I need to use my own custom code for an
>> encyrption method of my own that is not provided by JDBCRealm
>>
>>
>>> To programmatically do it using form-based authentication, I've used a
>>> LoginServlet that's mapped to "auth" in my login.jsp's form. In this
>>> servlet, I encrypt the password and redirect to "j_security_check" - is
> that
>>> what you're looking for?
>>
>>
>> Maybe. I'll do some reading about form-based authentication. I'm not
>> sure.
>>
>> I'm after this because I already have set up a JDBCRealm based system,
>> with BASIC authentication, and SHA, under Tomcat for both servlets and
>> cocoon stuff. Now I want to tie this together with another application
>> that encypts passwords differently from any method available in
>> JDBCRealm.
>>
>> I have the code for the encyption. If I could simply drop this code
>> into
>> the user validation JDBCRealm does for me in Tomcat, it'd be great
>> because
>> the security would all work and I wouldn't have to create any
>> user/password management pages of my own.
>
> Based on the documentation here
>
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-
> howto.html#Digested%20
> Passwords
>
> and a quick look at the sources here
>
> http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-
> 4.0/catalina/src
> /
> share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-
> type=text/pl
> ain
>
> it does not look to me like you are going to be able to do this without
> hacking the JDBC Realm implementation. The tomcat JDBC Realm
> implementation supports digested (*not* encrytped) passwords using
> java.security.MessageDigest to do the hashing. This means that the
> hashing must be performed using one of the standard algorithms specified
> here
> http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA
>
> You are probably best off going with one of the approaches that Matt has
> outlined if you want to serve login pages from the tomcat nodes.
>
>
> Phil
>
>
>
>>
>> If I can do this, I can tie Tomcat authentication to the password system
>> my company has on other systems.
>>
>> Any tips are helpful! I'm a little lost with this.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Alternate password encyption code?
Posted by Jeff Sexton <js...@odshp.com>.
Nice! Thanks!
Jeff Sexton
The ODS Companies
jsexton@odshp.com
On Tue, 3 Jun 2003, Extance, Paul wrote:
> We've already done this as part of the Jaffa (jaffa.sourceforge.net) open
> source project. For more details see...
>
> The Source Code @
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o
> rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEAD&content-type=text/vn
> d.viewcvs-markup
>
> The Jaffa Site @ http://jaffa.sf.net
>
> The JAR, if you want the easy way... is attached!
>
> This has been tested with most tomcat releases from 3.3a upto 4.1.24 and
> works. It supports two types of encryption signatures
>
> String xxx(String password) and
> String xxx(String password, String Userid) in case you want to use their
> user id as part of the key for the encryption
>
> You provide the class name and the method name in server.xml, and it looks
> for either method 1 or 2 and uses that to encrypt the password, before
> comparing it with the one in the database. It does not try to decrypt the
> database password, so a one way encryption algorithm can be supported.
>
> This Realm also allow you some other features like extending the where
> clause for the retrieve on user records, and the select for how to read the
> roles (incase you don't want to create additional views!)
>
> An example of how it can be used in server.xml is...
>
> <Realm
> className = "org.jaffa.tomcat.realm.JDBCEncryptionRealm"
> debug = "0"
> driverName = "oracle.jdbc.driver.OracleDriver"
> connectionURL = "jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb"
> connectionName = "mydbuser"
> connectionPassword = "mydbpass"
> userTable = "users"
> userNameCol = "user_id"
> userCredCol = "password"
> userClause = "password is not null and user_status='Active'"
> userRoleTable = "user_roles"
> roleNameCol = "role_name"
> encryptionClass = "com.mycompany.services.Encryption"
> encryptionMethod = "encrypt"
> />
>
> Just make sure you but the attached JAR, and your JAR in the /server/lib
> directory, and put the database driver JAR(s) in the same place or in
> /common/lib
>
> Hope this helps...
>
> Paul Extance
>
> -----Original Message-----
> From: Phil Steitz [mailto:phil@steitz.com]
> Sent: Saturday, May 31, 2003 9:25 AM
> To: Tomcat Users List
> Subject: Re: Alternate password encyption code?
>
> Jeff Sexton wrote:
> > On Thu, 29 May 2003, Raible, Matt wrote:
> >
> >>Why don't you just have the JDBCRealm do it - add digest="SHA".
> >
> >
> > I need something other than SHA, I need to use my own custom code for an
> > encyrption method of my own that is not provided by JDBCRealm
> >
> >
> >>To programmatically do it using form-based authentication, I've used a
> >>LoginServlet that's mapped to "auth" in my login.jsp's form. In this
> >>servlet, I encrypt the password and redirect to "j_security_check" - is
> that
> >>what you're looking for?
> >
> >
> > Maybe. I'll do some reading about form-based authentication. I'm not
> > sure.
> >
> > I'm after this because I already have set up a JDBCRealm based system,
> > with BASIC authentication, and SHA, under Tomcat for both servlets and
> > cocoon stuff. Now I want to tie this together with another application
> > that encypts passwords differently from any method available in JDBCRealm.
> >
> > I have the code for the encyption. If I could simply drop this code into
> > the user validation JDBCRealm does for me in Tomcat, it'd be great because
> > the security would all work and I wouldn't have to create any
> > user/password management pages of my own.
>
> Based on the documentation here
>
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20
> Passwords
>
> and a quick look at the sources here
>
> http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src
> /
> share/org/apache/catalina/realm/JDBCRealm.java?rev=HEAD&content-type=text/pl
> ain
>
> it does not look to me like you are going to be able to do this without
> hacking the JDBC Realm implementation. The tomcat JDBC Realm
> implementation supports digested (*not* encrytped) passwords using
> java.security.MessageDigest to do the hashing. This means that the
> hashing must be performed using one of the standard algorithms specified
> here
> http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA
>
> You are probably best off going with one of the approaches that Matt has
> outlined if you want to serve login pages from the tomcat nodes.
>
>
> Phil
>
>
>
> >
> > If I can do this, I can tie Tomcat authentication to the password system
> > my company has on other systems.
> >
> > Any tips are helpful! I'm a little lost with this.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org