Hi Mathias,
Your patch is interesting and is resolving a clear problem.
On the other side, I would propose you create another module ( let's say
CryptedRealm ? ). SimpleRealm should remain "simple".
What's missing is the ability to store the passwords ( how do you plan to
encrypt ? a passwd tool ? ). Maybe we can add an admin page to manage
users and passwords, and then we'll have all the elements for using
crypted passwords.
I would also propose to include this new module in 3.3.
Costin
On Fri, 9 Feb 2001, Mathias Herberts wrote:
> Hi,
>
> I've been playing around with Tomcat 3.2.1 as we have several production
> servers using it and was concerned by the way the passwords were stored
> in tomcat-users.xml.
>
> The included patch modifies SimplesRealm.java
> (org.apache.tomcat.request.SimpleRealm) so it can correctly manage a
> tomcat-users.xml file whose passwords are encrypted.
>
> The method used to handle encryption is java.security.MessageDigest,
> therefore all algorithms known by this class (without the use of an
> external Provider) can be used, mainly MD5 and SHA.
>
> All passwords in tomcat-users.xml must be encrypted using the same
> algorithm (or no algorithm if so choosen). The algorithm of choice is
> specified in the declaration of
> the SimpleRealm RequestInterceptor as follows:
>
> <RequestInterceptor
> className="org.apache.tomcat.request.SimpleRealm"
> debug="1" crypt="MD5" />
>
> The SimpleRealm request interceptor then expects all tomcat-users.xml
> passwords to be
> encrypted using the specified algorithm, comparison is case insensitive
> (for the encrypted part).
>
> If you choose not to use encryption, simply omit the crypt attribute in
> the RequestInterceptor element.
>
> As I am not a subscriber of the tomcat-dev mailing list please CC me
> when replying to my message.
>
> Any comment welcome about this patch.
>
> Best regards,
>
> Mathias Herberts.
--
Costin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
