You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Wi...@tsys.com on 2013/11/20 09:30:11 UTC
Visible passwords in realm
Hi all,
Is there any way to not have the password visible in the realm for example
for active directory realm?
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://xxxxxxxxxxx:389"
authentication="simple"
referrals="follow"
connectionName="cn=cccc CN=xxxxxx ,ou=xxxx,ou=sasa
,ou=xxxxs,ou=xxx,dc=xxx, dc=xxxx,dc=net"
connectionPassword="password"
userSearch="(sAMAccountName={0})"
userBase="DC=xxx,DC=xxx, DC=x"
userSubtree="true"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="dc=xx,dc=xxx,dc=xxx"/>
Thanks
William
-----------------------------------------
The information contained in this communication (including any
attachments hereto) is confidential and is intended solely for the
personal and confidential use of the individual or entity to whom
it is addressed. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, dissemination, copying,
or unauthorized use of this information, or the taking of any
action in reliance on the contents of this information is strictly
prohibited. If you have received this communication in error,
please notify us immediately by e-mail, and delete the original
message. Thank you
Re: Visible passwords in realm
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 11/20/13 10:22 AM, Milo Hyson wrote:
> Out of curiosity, what problems do you see hashed passwords resolving in this case?
As others have already pointed out, I was shooting off my mouth without
understanding the question.
<Emily Litella>Oh. That's very different. Nevermind.</Emily Litella>
--
JHHL
(Now going back to a heated discussion of such subjects as flea
erections, violins on television, eagle rights, and endangered feces.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Visible passwords in realm
Posted by Milo Hyson <mi...@cyberlifelabs.com>.
Out of curiosity, what problems do you see hashed passwords resolving in this case?
- Milo Hyson
Chief Scientist
CyberLife Labs, Inc.
On Nov 20, 2013, at 8:23 AM, James H. H. Lampert <ja...@touchtonecorp.com> wrote:
> Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 does (i.e., as a one-way hash), it would solve a multitude of problems.
Re: Visible passwords in realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James
On 11/20/13, 11:23 AM, James H. H. Lampert wrote:
> 2013/11/20 <Wi...@tsys.com>:
>>> Is there any way to not have the password visible in the realm
>>> for example for active directory realm?
> . . . On 11/20/13 12:36 AM, Konstantin Kolinko wrote:
>> https://wiki.apache.org/tomcat/FAQ/Password
>
> Harrumph. It occurs to me that if Tomcat stored passwords the way
> OS/400 does (i.e., as a one-way hash), it would solve a multitude
> of problems.
- -1
You evidently don't understand the nature of the problem.
First of all, Tomcat does not store the password(s) at all. Second, if
Tomcat were to store the passwords as a one-way hash, it wouldn't help
at all: you would still supply the password in plain-text, and Tomcat
would hash it to compare. Why does Tomcat have to hash the password?
Because a) only Tomcat (or the database, directory, etc.) knows the
hashing algorithm used, the hash salt and iteration count (you *would*
use salted, iterated hashes, right?), etc. If the client could hash
the password, then Tomcat would be comparing hashes to hashes, which
is just called a new password.
> Of course, the far greater problem is that if somebody can get at
> your password file for nefarious purposes, then they can also most
> likely get at your SSL keystore for nefarious purposes, and a
> one-way hash wouldn't work for that.
One-way hashes work for protecting data in the event of a data theft.
They don't at all protect against unauthorized access.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSjPWiAAoJEBzwKT+lPKRYg4MQAMOlFmlLtoTO6+mbB3d3VlDY
QmXo9rNoYVtWEHBGGsVvTbdNImPXnrK9v2DKEMruj7aykJAafcPzl2a0cT1IS9TQ
fvkkGbu90JJPb8W7WJkJbzJ7sT/EQcco+xVIeCdU0uFHqCeXl3MuuVdn9crnroD5
G2voWUm9YKwFVuefjT92BI+UoozBVs5KQk3zFT3mfGlXBMq20kd+/jfRCjuy0k8B
LtIQTp/UFY6exVrZupVfbhWqOvd3eCJvWcXLpWotigVNiz4lFA3/+PcXhEa6W3bg
j9l1Qw5ijCMFIRB+CG5qY5YSg8daWCr4PCjUmyR96p0rmOqmKwZ4xiXjlziW2UU5
OtjI7RllzTBc0J28JMWDB57Xb/1QjhEGLBeIhbc04W8+jyKLBMV8s8dSmcPgMqzo
erlp7nI+3aGlXy2bvQIWcDZSDH7tnTHVZrBcZxdqCfklUVXhmPmSrisEVKG+YJw1
ER6g83iG0OBYmz/C+0gx6K9SvcMMojiWYT7Hxh1QDnuCo742ErzXYqoBY8vKVoLL
WBpgbFnm2daGe7wL+2CTWxUrkDodB79GW+XYceVxB4JnmwBd2swH1njb6j8ruVJZ
eE538NmyjRr7iCkm32ukTudjRCQSdKpnBjS1brzb0GYmUTYn4ckXmR8PItVqiIvZ
1YLZZf90JK4bdKQIABlr
=0SU5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Visible passwords in realm
Posted by Mark Thomas <ma...@apache.org>.
On 20/11/2013 16:23, James H. H. Lampert wrote:
> 2013/11/20 <Wi...@tsys.com>:
>>> Is there any way to not have the password visible in the realm for
>>> example for active directory realm?
> . . .
> On 11/20/13 12:36 AM, Konstantin Kolinko wrote:
>> https://wiki.apache.org/tomcat/FAQ/Password
>
> Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400
> does (i.e., as a one-way hash), it would solve a multitude of problems.
I suggest you read the original post again more carefully. These are not
user passwords that Tomcat needs to validate (Tomcat has supported
hashes for that for as long as I remember). This is a password Tomcat
needs to use to connect to an external service. As the FAQ makes clear,
storing these passwords in plain text is no less secure than any of the
various "encryption" solutions that folks periodically propose.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Visible passwords in realm
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
2013/11/20 <Wi...@tsys.com>:
>> Is there any way to not have the password visible in the realm for
>> example for active directory realm?
. . .
On 11/20/13 12:36 AM, Konstantin Kolinko wrote:
> https://wiki.apache.org/tomcat/FAQ/Password
Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400
does (i.e., as a one-way hash), it would solve a multitude of problems.
Of course, the far greater problem is that if somebody can get at your
password file for nefarious purposes, then they can also most likely get
at your SSL keystore for nefarious purposes, and a one-way hash wouldn't
work for that.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Visible passwords in realm
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/11/20 <Wi...@tsys.com>:
> Hi all,
>
> Is there any way to not have the password visible in the realm for example
> for active directory realm?
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionURL="ldap://xxxxxxxxxxx:389"
> authentication="simple"
> referrals="follow"
> connectionName="cn=cccc CN=xxxxxx ,ou=xxxx,ou=sasa
> ,ou=xxxxs,ou=xxx,dc=xxx, dc=xxxx,dc=net"
> connectionPassword="password"
> userSearch="(sAMAccountName={0})"
> userBase="DC=xxx,DC=xxx, DC=x"
> userSubtree="true"
> roleSearch="(member={0})"
> roleName="cn"
> roleSubtree="true"
> roleBase="dc=xx,dc=xxx,dc=xxx"/>
>
https://wiki.apache.org/tomcat/FAQ/Password
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Visible passwords in realm
Posted by Jan Tosovsky <j....@email.cz>.
On 2013-11-20 WilliamIsseyegh@tsys.com wrote:
> Is there any way to not have the password visible in the realm for
> example for active directory realm?
You can extend the default JNDIRealm:
import org.apache.catalina.realm.JNDIRealm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class ADRealm extends JNDIRealm {
private static final Logger LOGGER =
LoggerFactory.getLogger(ADRealm.class.getName());
private static final String KEY_AD = "my.ldap";
public ADRealm() {
LOGGER.info("My Active Directory Realm initialized...");
Credentials credentials = new
CredentialsReader().getCredentials(KEY_AD);
connectionName = credentials.getUser();
connectionPassword = credentials.getPassword();
}
}
Credentials reader is another custom class for reading credentials from your
central storage.
You have to define a combined realm:
<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="my.realm.ADRealm"
debug="99"
connectionURL="..."
authentication="simple"
referrals="follow"
userBase="..."
userSearch="(mailNickname={0})"
userSubtree="true"
commonRole="Administrator"
/>
</Realm>
And place all libraries to tomcat/lib folder:
- realm-1.0.jar (this class)
- credentials-util-1.0.jar
- slf4j-api-1.6.6.jar
- slf4j-jdk14-1.6.6.jar
I've implemented it not because of safety, but for my convenience as the
password is expiring from time to time and thanks to this it is enough to
change it once in the central storage. From there it is used in all my tools
(I use it in a local network only).
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org