First authentication is done so that if in the browser exists relevant HTTP COOKIE and validation of that cookie is done then page should be shown.
2011/6/12 Mark Thomas <ma...@apache.org>: > On 12/06/2011 20:29, Pid wrote: >> On 12/06/2011 17:12, Petr Hracek wrote: >>> And what about in case that I have my own program for accessing to the >>> specific >>> databases where the passwords are stored as hashes? >>> >>> Are there any possibilities how to run that program for getting unhashed >>> password from database? >> >> Why not hash the inbound password, then send & compare it against the >> one in the DB, rather than decoding it? >> >> The Realm implementations can handle this, if you're using a standard >> hashing method that Java recognises. >> >> Hopefully you've not invented your own hashing method. > > Hmm. Hash functions are meant to be one way. It should be impossible to > retrieve an unhashed password from the database. > > I hope that the original description is inaccurate rather than an > example of (yet another) badly broken home-grown security solution that > needs to be thrown away. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Best Regards / S pozdravem Petr Hracek --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
