-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 9/8/15 6:31 AM, Sreyan Chakravarty wrote: > Okay is if I have stored my password in my DB with SHA256 > encryption, can the credential handler declared in the realm work > if the it is declared with SHA512 ? No. SHA256 and SHA512 produce hashes of different sizes, so with the same input, they will always produce different outputs. https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions > As far as I know it must be same algorithm, salt and iterations for > the hash to be matched perfectly. Correct. > Now take my case-: > > <CredentialHandler className = > "org.apache.catalina.realm.SecretKeyCredentialHandler" algorithm = > "PBEWITHMD5ANDTRIPLEDES" /> > > Okay this my credential handler that I am using. In my DB the > password is stored using PBEWITHHMACSHA384ANDAES_256. A completely > different algorithm that the one specified before. So how come when > I put in my user-id and password on my form-login page I am not > getting an authentication error instead I am being forwarded to the > protected resource. Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are somehow aliases of each other? Also, it's possible that your implementation of the algorithm is flawed. Try running the "mutate" method from a command-line driver on some sample input to see what falls out. > It should use the algorithm in the CredentialHandler to mutate the > password. Now don't tell me that two different algorithms offer the > same hash. > > What is going on here ? My guess is a bug in the CredentialHandler itself. Can you post some cod e? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8E9cAAoJEBzwKT+lPKRYvFUQAJOnonwIc7wdMKSbyn6ldsXT +2A1gC16QpAnvWgP8RkqDgDn9zPfYBfdRePpI3voDxNJsiKxSuqPhldlPTtyu+28 4KWDifi1qxTbhvMasSv1AgwkzMjOBFWitZ8NLbr4AUK/m878Goc0nSUEDIirpLNq THfQAL5fvN0IXl6IqDx5dEyGekBQsSg6Q1NqU5ZL6w2GLvhwYBfTE/eFsHzw/mc2 Z7IIC/gt7wT4FbkzzMF1Qcp6TKvEA1pdLU0KCcE7BiLCiwJxWfQTCI2WWEJIMV2s FwkvLDXidqmNIL6Wg4QoaB093lw5UcQY0r2kUtCL4gkuS7IqCyLeFaaJFXoN2iY9 +OlLlPF1DrsKAhJejDuge1+ixksWDd3VqL6DoMHqldpG5kh1CIPjO3Cwpnw5ypNX /v5u4dq318qrcp2UGsr/1mRXx0t7gNUfgqGqS+4wDw40TekGJbGJqhFaVoq82sjz gFPOhjTeSDExb0zTiyhaRus4VtqlGUnMj+CIx+4yMDg1ax/Le19yV7if+p4KRaB+ Ua+D31QY5sz09CIJIog9WOiQ20PGDsWSgQzKevoqZCDgWfx/NChG5rz0ku0DdHsC nednB/m8TGrT6ziT33NIbfDGgp31egkI6TjqVcLaK4IX1L073R83sQ9O6m5pqmJ+ t5YGoYKn1OMac388Rx7N =Ha10 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
