On Thu, 27 Dec 2001, Roland wrote:
> Date: Thu, 27 Dec 2001 12:52:08 -0200
> From: Roland <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Implementing JDBC realm with encryption
>
> Hello,
> I want to implement my own JDBC realm with browser side-password
> encryption. The idea is to hash the password together with the sessionId
> and a random variable using SHA-1 on the browser side with Javascript. The
> hash is then send to the server. This prevents hackers from retrieving the
> password in plain text from the internet. Has anything like this been
> implemented already? How do I start to implement it myself?
>
I think you might be confusing some concepts -- a Realm doesn't talk
directly to a browser. Let's divide up the transaction like this:
Browser ---username/password--> Container ---username/password--> Realm
Now, are you concerned about encrypting the Brower-->Container or the
Container-->Realm path? The two are completely independent of each other:
* For Browser->Container, the best thing to do is use
DIGEST (if your browser supports it) or CLIENT-CERT
authentication. In those cases, the password that
goes across the wire is already encrypted for you.
* For Container-->Realm, the existing Realm implementations
have the ability to store the password in an encrypted
form (rather than clear-text). See the server configuration
documentation about realms - in particular the "digest"
attribute.
> Thanks, Roland
>
Craig McClanahan
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
