You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ahmet dalli <la...@yahoo.com> on 2002/08/27 09:14:37 UTC
Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Hi all,
I am trying to use JDBCRealm to store user login
information in an oracle database. I am working on a
Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
In server.xml, i have this configuration:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<Realm
className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:usr/pass@host:1521:ORCL"
userTable="users" userNameCol="user_name"
userCredCol="user_pass" userRoleTable="user_roles"
roleNameCol="role_name" digest="MD5" />
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In an Oracle8i database, i have a table called "users"
which has two columns named "user_name" and
"user_pass" ; and yet another one called
"user_roles" with to columns named "user_name" and
"user_role".
When i store user passwords in cleartext, everything
works fine.
I want to store passwords in a digested form. So, i
have used the following code to store a user_name :
baris, user_pass : aksu and user_role : director.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
import org.apache.catalina.realm.RealmBase;
import java.io.*;
import java.sql.*;
public class DigestDene {
public static void main(String[] args) {
try {
String username = args[0];
String password = args[1];
String role = args[2];
String digested =
RealmBase.Digest(password, "MD5");
//Here, code that connects to the database
/* ...... */
stmt.executeUpdate("insert into users values('" +
username + "', '" + digested + "')");
stmt.executeUpdate("insert into user_roles values
('" + username + "', '" + role + "')");
}
catch(Exception ex) {}
}
}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Then, i have inserted my user's info from the
command-line with :
^^^^^^^^^^^^^^^^^^^^^^^^^^
java DigestDene baris aksu director
^^^^^^^^^^^^^^^^^^^^^^^^^^^
After this, I have these values in the database :
(in table users)
USER_NAME USER_PASS
--------------- ------------------------
baris 394e654ca65973f232653fb0008c603d
(in table user_roles)
USER_NAME USER_ROLE
------------------- ---------
baris director
Lastly, in web.xml i have these lines :
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Basla Servlet
</web-resource-name>
<url-pattern>/servlet/IlkGirisServlet
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>director</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When i try to acces my protected resource, i am
presented with the classic login screen for BASIC
authentication, and after i type "baris" for username
and "aksu" for password, Tomcat doesn't simply let me
in.
Any suggestions or comments will be greatly
appreciated.
Baris.....
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Posted by ahmet dalli <la...@yahoo.com>.
Thanks to those who were kind to share their
suggestions/comments.
The problem was a subtle, but an important one : in
server.xml ==> roleNameCol="role_name"
but in database there is no column called "role_name",
accidentally column's name is "user_role"!
Baris...
--- Rick Fincher <rn...@tbird.com> wrote:
> Hi Baris,
>
> I tried:
> java -classpath
> CATALINA_HOME/server/lib/catalina.jar
> org.apache.catalina.realm.RealmBase -a MD5 aksu
>
> And got:
> aksu:394e654ca65973f232653fb0008c603d
>
> So that seems to be working correctly. You may want
> to try changing
> <auth-method>BASIC</auth-method>, to
> <auth-method>DIGEST</auth-method>. Since the
> browser is getting the
> password you want it to be digested before it goes
> out on the net for
> security unless you are using SSL. Then it gets
> encrypted anyway and
> digesting just protects your passwords from
> observation on the server side.
> This might require you to turn off digest in the
> realm.
>
> You can also increase the debug level in the realm
> and see what the log
> files say.
>
> Hope this helps,
>
> Rick
>
>
>
> ----- Original Message -----
> From: "ahmet dalli" <la...@yahoo.com>
> To: <to...@jakarta.apache.org>
> Sent: Tuesday, August 27, 2002 3:14 AM
> Subject: Tomcat Realms with Digested Passwords
> -Urgent- ( A little
> longish...)
>
>
> > Hi all,
> >
> > I am trying to use JDBCRealm to store user login
> > information in an oracle database. I am working on
> a
> > Windows2000 machine, using jdk1.4, and
> Tomcat4.0.4.
> >
> > In server.xml, i have this configuration:
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > <Realm
> > className="org.apache.catalina.realm.JDBCRealm"
> > debug="99"
> > driverName="oracle.jdbc.driver.OracleDriver"
> >
>
connectionURL="jdbc:oracle:thin:usr/pass@host:1521:ORCL"
> > userTable="users" userNameCol="user_name"
> > userCredCol="user_pass"
> userRoleTable="user_roles"
> > roleNameCol="role_name" digest="MD5" />
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > In an Oracle8i database, i have a table called
> "users"
> > which has two columns named "user_name" and
> > "user_pass" ; and yet another one called
> > "user_roles" with to columns named "user_name" and
> > "user_role".
> >
> > When i store user passwords in cleartext,
> everything
> > works fine.
> >
> > I want to store passwords in a digested form. So,
> i
> > have used the following code to store a user_name
> :
> > baris, user_pass : aksu and user_role : director.
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > import org.apache.catalina.realm.RealmBase;
> > import java.io.*;
> > import java.sql.*;
> >
> > public class DigestDene {
> > public static void main(String[] args) {
> > try {
> > String username = args[0];
> > String password = args[1];
> > String role = args[2];
> > String digested =
> > RealmBase.Digest(password, "MD5");
> > //Here, code that connects to the database
> > /* ...... */
> > stmt.executeUpdate("insert into users
> values('" +
> > username + "', '" + digested + "')");
> > stmt.executeUpdate("insert into user_roles
> values
> > ('" + username + "', '" + role + "')");
> > }
> > catch(Exception ex) {}
> > }
> > }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Then, i have inserted my user's info from the
> > command-line with :
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > java DigestDene baris aksu director
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > After this, I have these values in the database :
> > (in table users)
> > USER_NAME USER_PASS
> > --------------- ------------------------
> > baris 394e654ca65973f232653fb0008c603d
> >
> > (in table user_roles)
> > USER_NAME USER_ROLE
> > ------------------- ---------
> > baris director
> >
> > Lastly, in web.xml i have these lines :
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Protected Basla Servlet
> > </web-resource-name>
> > <url-pattern>/servlet/IlkGirisServlet
> > </url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>director</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> >
> <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > </login-config>
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > When i try to acces my protected resource, i am
> > presented with the classic login screen for BASIC
> > authentication, and after i type "baris" for
> username
> > and "aksu" for password, Tomcat doesn't simply let
> me
> > in.
> >
> > Any suggestions or comments will be greatly
> > appreciated.
> >
> > Baris.....
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Posted by Rick Fincher <rn...@tbird.com>.
Hi Baris,
I tried:
java -classpath CATALINA_HOME/server/lib/catalina.jar
org.apache.catalina.realm.RealmBase -a MD5 aksu
And got:
aksu:394e654ca65973f232653fb0008c603d
So that seems to be working correctly. You may want to try changing
<auth-method>BASIC</auth-method>, to
<auth-method>DIGEST</auth-method>. Since the browser is getting the
password you want it to be digested before it goes out on the net for
security unless you are using SSL. Then it gets encrypted anyway and
digesting just protects your passwords from observation on the server side.
This might require you to turn off digest in the realm.
You can also increase the debug level in the realm and see what the log
files say.
Hope this helps,
Rick
----- Original Message -----
From: "ahmet dalli" <la...@yahoo.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, August 27, 2002 3:14 AM
Subject: Tomcat Realms with Digested Passwords -Urgent- ( A little
longish...)
> Hi all,
>
> I am trying to use JDBCRealm to store user login
> information in an oracle database. I am working on a
> Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
>
> In server.xml, i have this configuration:
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> <Realm
> className="org.apache.catalina.realm.JDBCRealm"
> debug="99"
> driverName="oracle.jdbc.driver.OracleDriver"
> connectionURL="jdbc:oracle:thin:usr/pass@host:1521:ORCL"
> userTable="users" userNameCol="user_name"
> userCredCol="user_pass" userRoleTable="user_roles"
> roleNameCol="role_name" digest="MD5" />
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> In an Oracle8i database, i have a table called "users"
> which has two columns named "user_name" and
> "user_pass" ; and yet another one called
> "user_roles" with to columns named "user_name" and
> "user_role".
>
> When i store user passwords in cleartext, everything
> works fine.
>
> I want to store passwords in a digested form. So, i
> have used the following code to store a user_name :
> baris, user_pass : aksu and user_role : director.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> import org.apache.catalina.realm.RealmBase;
> import java.io.*;
> import java.sql.*;
>
> public class DigestDene {
> public static void main(String[] args) {
> try {
> String username = args[0];
> String password = args[1];
> String role = args[2];
> String digested =
> RealmBase.Digest(password, "MD5");
> //Here, code that connects to the database
> /* ...... */
> stmt.executeUpdate("insert into users values('" +
> username + "', '" + digested + "')");
> stmt.executeUpdate("insert into user_roles values
> ('" + username + "', '" + role + "')");
> }
> catch(Exception ex) {}
> }
> }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Then, i have inserted my user's info from the
> command-line with :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> java DigestDene baris aksu director
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> After this, I have these values in the database :
> (in table users)
> USER_NAME USER_PASS
> --------------- ------------------------
> baris 394e654ca65973f232653fb0008c603d
>
> (in table user_roles)
> USER_NAME USER_ROLE
> ------------------- ---------
> baris director
>
> Lastly, in web.xml i have these lines :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Basla Servlet
> </web-resource-name>
> <url-pattern>/servlet/IlkGirisServlet
> </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>director</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> When i try to acces my protected resource, i am
> presented with the classic login screen for BASIC
> authentication, and after i type "baris" for username
> and "aksu" for password, Tomcat doesn't simply let me
> in.
>
> Any suggestions or comments will be greatly
> appreciated.
>
> Baris.....
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Posted by Andrew Conrad <an...@attbi.com>.
I have no problems using SHA-1. I also use FORM based authentication.
You might try those, just to see if anything's different.
> -----Original Message-----
> From: ahmet dalli [mailto:lamosali@yahoo.com]
> Sent: Tuesday, August 27, 2002 3:15 AM
> To: tomcat-user@jakarta.apache.org
> Subject: Tomcat Realms with Digested Passwords -Urgent- ( A
> little longish...)
>
>
> Hi all,
>
> I am trying to use JDBCRealm to store user login
> information in an oracle database. I am working on a
> Windows2000 machine, using jdk1.4, and Tomcat4.0.4.
>
> In server.xml, i have this configuration:
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> <Realm
> className="org.apache.catalina.realm.JDBCRealm"
> debug="99"
> driverName="oracle.jdbc.driver.OracleDriver"
> connectionURL="jdbc:oracle:thin:usr/pass@host:1521:ORCL"
> userTable="users" userNameCol="user_name"
> userCredCol="user_pass" userRoleTable="user_roles"
> roleNameCol="role_name" digest="MD5" />
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> In an Oracle8i database, i have a table called "users"
> which has two columns named "user_name" and
> "user_pass" ; and yet another one called
> "user_roles" with to columns named "user_name" and
> "user_role".
>
> When i store user passwords in cleartext, everything
> works fine.
>
> I want to store passwords in a digested form. So, i
> have used the following code to store a user_name :
> baris, user_pass : aksu and user_role : director.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> import org.apache.catalina.realm.RealmBase;
> import java.io.*;
> import java.sql.*;
>
> public class DigestDene {
> public static void main(String[] args) {
> try {
> String username = args[0];
> String password = args[1];
> String role = args[2];
> String digested =
> RealmBase.Digest(password, "MD5");
> //Here, code that connects to the database
> /* ...... */
> stmt.executeUpdate("insert into users values('" +
> username + "', '" + digested + "')");
> stmt.executeUpdate("insert into user_roles values
> ('" + username + "', '" + role + "')");
> }
> catch(Exception ex) {}
> }
> }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Then, i have inserted my user's info from the
> command-line with :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> java DigestDene baris aksu director
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> After this, I have these values in the database :
> (in table users)
> USER_NAME USER_PASS
> --------------- ------------------------
> baris 394e654ca65973f232653fb0008c603d
>
> (in table user_roles)
> USER_NAME USER_ROLE
> ------------------- ---------
> baris director
>
> Lastly, in web.xml i have these lines :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Basla Servlet
> </web-resource-name>
> <url-pattern>/servlet/IlkGirisServlet
> </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>director</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> When i try to acces my protected resource, i am
> presented with the classic login screen for BASIC
> authentication, and after i type "baris" for username and
> "aksu" for password, Tomcat doesn't simply let me in.
>
> Any suggestions or comments will be greatly
> appreciated.
>
> Baris.....
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>