Thanks Chris, it helps a lot for me :-)
Very useful informations.
-------- Original-Nachricht --------
Datum: Thu, 03 May 2007 15:02:35 -0400
Von: Christopher Schultz <[EMAIL PROTECTED]>
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: [OT] User-password from the HttpServletRequest
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sam,
>
> [EMAIL PROTECTED] wrote:
> > I saw, that I can get the password via the Principle: The Tomcat
> > server has his own implementation of Principle: GenericPrinciple
> > which holds all the stuff (pw, roles, etc).
>
> Wow, Tomcat keeps the user's password lying around in memory? That's
> unfortunate... :(
>
> > Does somebody know a good encryption/decryption algorithm which works
> > only with a password (String)?
>
> There are many symmetric encryption algorithms. DES, 3DES ("Triple
> DES"), AES, and Blowfish are quire popular. Java supports many of these
> algorithms out of the box. Figuring out how to use them can be a
> challenge, so here's some of the things I've learned.
>
> With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following
> ciphers available from the "SunJCE version 1.5" provider:
>
> AES
> Blowfish
> DES
> 3DES
>
> Each of these can be used with a simple password. You'll need to massage
> your strings to get them into the proper format, though. Here is some
> helpful code.
>
> In order to do anything with a cipher, you'll need a key. The easiest
> way to create a key is like this:
>
> byte[] password = ...;
> String algorithm = ...; // "AES", "3DES", etc.
> Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password,
> algorithm);
>
> Now that you have a key (which can be used for decryption, btw), you can
> use a cipher:
>
> byte[] clearText = ...; // convert your data-to-encrypt to bytes
> Cipher cipher = javax.crypto.Cipher.getInstance(algorithm);
> cipher.init(Cipher.ENCRYPT_MODE, key);
> byte[] cipherText = cipher.doFinal(clearText);
>
> Decryption is the same, just that you use DECRYPT_MODE when you call
> Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS.
>
> A few other notes:
>
> * Be careful about converting Strings to and from byte arrays. Make sure
> that you consistently use the same character encoding (UTF-8 is always a
> good bet) or your efforts will end in tears.
>
> * If you want to store your encrypted data in a database, you have to
> decide if you want to store binary byte data (BLOB) or character data
> (CLOB). BLOBs are probably smaller (keep reading) but not as easy to
> "read" when observing data in the database. CLOBs will take more space
> but are easier to "read" when looking at your db. If you choose to use a
> CLOB, then you'll need to convert the cipher text into a readable
> format. Base64 encoding is often chosen because it results in 4 bytes of
> output for every 3 bytes of input, so you "waste" only 1/3 extra
> storage. Compare that to a "character binary encoding" (my term) where
> you have 1 byte -> 2 character conversion (results look like "1a2b3c"
> etc.) which doubles your data, which sucks.
>
> This is only one way to interact with Java's crypto APIs. I'm sure there
> are other ways, but after a lot of reading this is what I came up with.
>
> Hope that helps,
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6
> spL4xNqgsIAuKgHBLnD3KFo=
> =RssM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
