I saw, that I can get the password via the Principle: The Tomcat server has his own implementation of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc).
I know the problem with the changing of password, but thats not the main probelm now ;-) Does somebody know a good encryption/decryption algorithm wich works only with a password (String)? -------- Original-Nachricht -------- Datum: Wed, 02 May 2007 16:54:22 -0400 Von: Christopher Schultz <[EMAIL PROTECTED]> An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: User-password from the HttpServletRequest > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sam, > > [EMAIL PROTECTED] wrote: > > I'm using the password of the [authentication] to encrypt and decrypt > > some data to a database user specific (each users own data has the > > users password). > > Uh... are you sure this is a good idea? If the user changes his or her > password, do you re-encrypt all of their data? This doesn't seem like a > very efficient way to store encrypted information. > > My advice: randomly generate an encryption key when the account is > created (or afterward for existing users) and encrypt /that/ with the > user's password. Then, when the user's password is changed, you only > have to re-encrypt the encryption/decryption key itself, instead of > every piece of information in there. > > > To get to the password must be possibly, not? > > The servlet API provides no way to get the user's password. You'll have > to do this yourself. If you need the password all the time, you could > store it in the session during login and you'd have it available > whenever you want. > > If you use my suggestion from above, you could use the login password to > decrypt the general encryption/decryption key and then store that in the > session, which might be more convenient (or safer?) than storing the > user's actual password in the session. > > On second thought, the encryption key is more sensitive (at least, as > far as your application goes) than the user's password, so perhaps the > user's password in the session is better "just in case". > > - -chris > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGOPp+9CaO5/Lv0PARAmcWAJ4t20OJWt1cm7ypLLLRm6mUtIAOZwCfZFJX > I+XT0VE6lyijDBtb/JScUnM= > =0QB0 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
