-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James
On 11/20/13, 11:23 AM, James H. H. Lampert wrote: > 2013/11/20 <williamissey...@tsys.com>: >>> Is there any way to not have the password visible in the realm >>> for example for active directory realm? > . . . On 11/20/13 12:36 AM, Konstantin Kolinko wrote: >> https://wiki.apache.org/tomcat/FAQ/Password > > Harrumph. It occurs to me that if Tomcat stored passwords the way > OS/400 does (i.e., as a one-way hash), it would solve a multitude > of problems. - -1 You evidently don't understand the nature of the problem. First of all, Tomcat does not store the password(s) at all. Second, if Tomcat were to store the passwords as a one-way hash, it wouldn't help at all: you would still supply the password in plain-text, and Tomcat would hash it to compare. Why does Tomcat have to hash the password? Because a) only Tomcat (or the database, directory, etc.) knows the hashing algorithm used, the hash salt and iteration count (you *would* use salted, iterated hashes, right?), etc. If the client could hash the password, then Tomcat would be comparing hashes to hashes, which is just called a new password. > Of course, the far greater problem is that if somebody can get at > your password file for nefarious purposes, then they can also most > likely get at your SSL keystore for nefarious purposes, and a > one-way hash wouldn't work for that. One-way hashes work for protecting data in the event of a data theft. They don't at all protect against unauthorized access. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSjPWiAAoJEBzwKT+lPKRYg4MQAMOlFmlLtoTO6+mbB3d3VlDY QmXo9rNoYVtWEHBGGsVvTbdNImPXnrK9v2DKEMruj7aykJAafcPzl2a0cT1IS9TQ fvkkGbu90JJPb8W7WJkJbzJ7sT/EQcco+xVIeCdU0uFHqCeXl3MuuVdn9crnroD5 G2voWUm9YKwFVuefjT92BI+UoozBVs5KQk3zFT3mfGlXBMq20kd+/jfRCjuy0k8B LtIQTp/UFY6exVrZupVfbhWqOvd3eCJvWcXLpWotigVNiz4lFA3/+PcXhEa6W3bg j9l1Qw5ijCMFIRB+CG5qY5YSg8daWCr4PCjUmyR96p0rmOqmKwZ4xiXjlziW2UU5 OtjI7RllzTBc0J28JMWDB57Xb/1QjhEGLBeIhbc04W8+jyKLBMV8s8dSmcPgMqzo erlp7nI+3aGlXy2bvQIWcDZSDH7tnTHVZrBcZxdqCfklUVXhmPmSrisEVKG+YJw1 ER6g83iG0OBYmz/C+0gx6K9SvcMMojiWYT7Hxh1QDnuCo742ErzXYqoBY8vKVoLL WBpgbFnm2daGe7wL+2CTWxUrkDodB79GW+XYceVxB4JnmwBd2swH1njb6j8ruVJZ eE538NmyjRr7iCkm32ukTudjRCQSdKpnBjS1brzb0GYmUTYn4ckXmR8PItVqiIvZ 1YLZZf90JK4bdKQIABlr =0SU5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
