-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sam,
[EMAIL PROTECTED] wrote: > I'm using the password of the [authentication] to encrypt and decrypt > some data to a database user specific (each users own data has the > users password). Uh... are you sure this is a good idea? If the user changes his or her password, do you re-encrypt all of their data? This doesn't seem like a very efficient way to store encrypted information. My advice: randomly generate an encryption key when the account is created (or afterward for existing users) and encrypt /that/ with the user's password. Then, when the user's password is changed, you only have to re-encrypt the encryption/decryption key itself, instead of every piece of information in there. > To get to the password must be possibly, not? The servlet API provides no way to get the user's password. You'll have to do this yourself. If you need the password all the time, you could store it in the session during login and you'd have it available whenever you want. If you use my suggestion from above, you could use the login password to decrypt the general encryption/decryption key and then store that in the session, which might be more convenient (or safer?) than storing the user's actual password in the session. On second thought, the encryption key is more sensitive (at least, as far as your application goes) than the user's password, so perhaps the user's password in the session is better "just in case". - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOPp+9CaO5/Lv0PARAmcWAJ4t20OJWt1cm7ypLLLRm6mUtIAOZwCfZFJX I+XT0VE6lyijDBtb/JScUnM= =0QB0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
