Re: Realm SSHA Code

Christopher Schultz Sun, 31 Jul 2016 05:56:44 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George,

On 7/29/16 1:46 PM, George Sexton wrote:
> I was looking at the source code for
> org.apache.catalina.realm.RealmBase and see that it can handle
> salted SHA for passwords. Does anyone have some example code that
> demonstrates generating the SSHA value: generating the salt, doing
> the digest, and outputting the value so that I could put it in my
> Tomcat-Users.xml file? I'm using Tomcat 7, so it looks like the
> CredentialHandler which provides a mutate() method wouldn't be
> available.

Do you mean a salted digest in general, or specifically the
{SSHA}-prefixed variant?

For the former, just use $CATALINA_HOME/bin/digest.sh to launch
RealmBase's main method from the command-line with the right options.
You can always use a later version of Tomcat just for that purpose,
and use the output with the older versions.

For the latter, you'll have to write some code. The format is fairly
straightforward:

 "{SSHA}" + base64 ( 20 salt bytes + SHA1 ( cleartext ) )

In later versions of Tomcat, the MessageDigestCredentialHandler can
*read* the {SSHA}-formatted output, but it can't generate it directly.

I made a patch a while back that gives web applications access to
their CredentialHandlers, so that applications could call matches()
and mutate() without having to know exactly how the passwords were
being stored. If SSHA is in use, then the output won't match the input.

I see an opportunity for improvement of the
MessageDigestCredentialHandler.

Would you care to try your hand at a patch?

I think you'd need to add a new option - "output flavor" or something
like that - and then the mutate() method would check that setting
before encoding the result.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAled9ZcACgkQ9CaO5/Lv0PDxwACcD4c2O5R/ujXq/R5A3rxv8Rry
0ZUAn1r86Bj7bGB/+D54ZXxz42svD4QW
=BfHp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Realm SSHA Code

Reply via email to