Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Thanks to those who were kind to share their suggestions/comments. The problem was a subtle, but an important one : in server.xml == roleNameCol=role_name but in database there is no column called role_name, accidentally column's name is user_role! Baris... --- Rick Fincher [EMAIL PROTECTED] wrote: Hi Baris, I tried: java -classpath CATALINA_HOME/server/lib/catalina.jar org.apache.catalina.realm.RealmBase -a MD5 aksu And got: aksu:394e654ca65973f232653fb0008c603d So that seems to be working correctly. You may want to try changing auth-methodBASIC/auth-method, to auth-methodDIGEST/auth-method. Since the browser is getting the password you want it to be digested before it goes out on the net for security unless you are using SSL. Then it gets encrypted anyway and digesting just protects your passwords from observation on the server side. This might require you to turn off digest in the realm. You can also increase the debug level in the realm and see what the log files say. Hope this helps, Rick - Original Message - From: ahmet dalli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 27, 2002 3:14 AM Subject: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...) Hi all, I am trying to use JDBCRealm to store user login information in an oracle database. I am working on a Windows2000 machine, using jdk1.4, and Tomcat4.0.4. In server.xml, i have this configuration: ^^ Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=MD5 / ^^ In an Oracle8i database, i have a table called users which has two columns named user_name and user_pass ; and yet another one called user_roles with to columns named user_name and user_role. When i store user passwords in cleartext, everything works fine. I want to store passwords in a digested form. So, i have used the following code to store a user_name : baris, user_pass : aksu and user_role : director. ^^^ import org.apache.catalina.realm.RealmBase; import java.io.*; import java.sql.*; public class DigestDene { public static void main(String[] args) { try { String username = args[0]; String password = args[1]; String role = args[2]; String digested = RealmBase.Digest(password, MD5); //Here, code that connects to the database /* .. */ stmt.executeUpdate(insert into users values(' + username + ', ' + digested + ')); stmt.executeUpdate(insert into user_roles values (' + username + ', ' + role + ')); } catch(Exception ex) {} } } Then, i have inserted my user's info from the command-line with : ^^ java DigestDene baris aksu director ^^^ After this, I have these values in the database : (in table users) USER_NAMEUSER_PASS --- baris394e654ca65973f232653fb0008c603d (in table user_roles) USER_NAME USER_ROLE --- - baris director Lastly, in web.xml i have these lines : ^^^ security-constraint web-resource-collection web-resource-nameProtected Basla Servlet /web-resource-name url-pattern/servlet/IlkGirisServlet /url-pattern /web-resource-collection auth-constraint role-namedirector/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config ^ When i try to acces my protected resource, i am presented with the classic login screen for BASIC authentication, and after i type baris for username and aksu for password, Tomcat doesn't simply let me in. Any suggestions or comments will be greatly appreciated. Baris. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Hi all, I am trying to use JDBCRealm to store user login information in an oracle database. I am working on a Windows2000 machine, using jdk1.4, and Tomcat4.0.4. In server.xml, i have this configuration: ^^ Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=MD5 / ^^ In an Oracle8i database, i have a table called users which has two columns named user_name and user_pass ; and yet another one called user_roles with to columns named user_name and user_role. When i store user passwords in cleartext, everything works fine. I want to store passwords in a digested form. So, i have used the following code to store a user_name : baris, user_pass : aksu and user_role : director. ^^^ import org.apache.catalina.realm.RealmBase; import java.io.*; import java.sql.*; public class DigestDene { public static void main(String[] args) { try { String username = args[0]; String password = args[1]; String role = args[2]; String digested = RealmBase.Digest(password, MD5); //Here, code that connects to the database /* .. */ stmt.executeUpdate(insert into users values(' + username + ', ' + digested + ')); stmt.executeUpdate(insert into user_roles values (' + username + ', ' + role + ')); } catch(Exception ex) {} } } Then, i have inserted my user's info from the command-line with : ^^ java DigestDene baris aksu director ^^^ After this, I have these values in the database : (in table users) USER_NAMEUSER_PASS --- baris394e654ca65973f232653fb0008c603d (in table user_roles) USER_NAME USER_ROLE --- - baris director Lastly, in web.xml i have these lines : ^^^ security-constraint web-resource-collection web-resource-nameProtected Basla Servlet /web-resource-name url-pattern/servlet/IlkGirisServlet /url-pattern /web-resource-collection auth-constraint role-namedirector/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config ^ When i try to acces my protected resource, i am presented with the classic login screen for BASIC authentication, and after i type baris for username and aksu for password, Tomcat doesn't simply let me in. Any suggestions or comments will be greatly appreciated. Baris. __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
Hi Baris, I tried: java -classpath CATALINA_HOME/server/lib/catalina.jar org.apache.catalina.realm.RealmBase -a MD5 aksu And got: aksu:394e654ca65973f232653fb0008c603d So that seems to be working correctly. You may want to try changing auth-methodBASIC/auth-method, to auth-methodDIGEST/auth-method. Since the browser is getting the password you want it to be digested before it goes out on the net for security unless you are using SSL. Then it gets encrypted anyway and digesting just protects your passwords from observation on the server side. This might require you to turn off digest in the realm. You can also increase the debug level in the realm and see what the log files say. Hope this helps, Rick - Original Message - From: ahmet dalli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 27, 2002 3:14 AM Subject: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...) Hi all, I am trying to use JDBCRealm to store user login information in an oracle database. I am working on a Windows2000 machine, using jdk1.4, and Tomcat4.0.4. In server.xml, i have this configuration: ^^ Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=MD5 / ^^ In an Oracle8i database, i have a table called users which has two columns named user_name and user_pass ; and yet another one called user_roles with to columns named user_name and user_role. When i store user passwords in cleartext, everything works fine. I want to store passwords in a digested form. So, i have used the following code to store a user_name : baris, user_pass : aksu and user_role : director. ^^^ import org.apache.catalina.realm.RealmBase; import java.io.*; import java.sql.*; public class DigestDene { public static void main(String[] args) { try { String username = args[0]; String password = args[1]; String role = args[2]; String digested = RealmBase.Digest(password, MD5); //Here, code that connects to the database /* .. */ stmt.executeUpdate(insert into users values(' + username + ', ' + digested + ')); stmt.executeUpdate(insert into user_roles values (' + username + ', ' + role + ')); } catch(Exception ex) {} } } Then, i have inserted my user's info from the command-line with : ^^ java DigestDene baris aksu director ^^^ After this, I have these values in the database : (in table users) USER_NAMEUSER_PASS --- baris394e654ca65973f232653fb0008c603d (in table user_roles) USER_NAME USER_ROLE --- - baris director Lastly, in web.xml i have these lines : ^^^ security-constraint web-resource-collection web-resource-nameProtected Basla Servlet /web-resource-name url-pattern/servlet/IlkGirisServlet /url-pattern /web-resource-collection auth-constraint role-namedirector/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config ^ When i try to acces my protected resource, i am presented with the classic login screen for BASIC authentication, and after i type baris for username and aksu for password, Tomcat doesn't simply let me in. Any suggestions or comments will be greatly appreciated. Baris. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...)
I have no problems using SHA-1. I also use FORM based authentication. You might try those, just to see if anything's different. -Original Message- From: ahmet dalli [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 3:15 AM To: [EMAIL PROTECTED] Subject: Tomcat Realms with Digested Passwords -Urgent- ( A little longish...) Hi all, I am trying to use JDBCRealm to store user login information in an oracle database. I am working on a Windows2000 machine, using jdk1.4, and Tomcat4.0.4. In server.xml, i have this configuration: ^^ Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:usr/pass@host:1521:ORCL userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=MD5 / ^^ In an Oracle8i database, i have a table called users which has two columns named user_name and user_pass ; and yet another one called user_roles with to columns named user_name and user_role. When i store user passwords in cleartext, everything works fine. I want to store passwords in a digested form. So, i have used the following code to store a user_name : baris, user_pass : aksu and user_role : director. ^^^ import org.apache.catalina.realm.RealmBase; import java.io.*; import java.sql.*; public class DigestDene { public static void main(String[] args) { try { String username = args[0]; String password = args[1]; String role = args[2]; String digested = RealmBase.Digest(password, MD5); //Here, code that connects to the database /* .. */ stmt.executeUpdate(insert into users values(' + username + ', ' + digested + ')); stmt.executeUpdate(insert into user_roles values (' + username + ', ' + role + ')); } catch(Exception ex) {} } } Then, i have inserted my user's info from the command-line with : ^^ java DigestDene baris aksu director ^^^ After this, I have these values in the database : (in table users) USER_NAMEUSER_PASS --- baris394e654ca65973f232653fb0008c603d (in table user_roles) USER_NAME USER_ROLE --- - baris director Lastly, in web.xml i have these lines : ^^^ security-constraint web-resource-collection web-resource-nameProtected Basla Servlet /web-resource-name url-pattern/servlet/IlkGirisServlet /url-pattern /web-resource-collection auth-constraint role-namedirector/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config ^ When i try to acces my protected resource, i am presented with the classic login screen for BASIC authentication, and after i type baris for username and aksu for password, Tomcat doesn't simply let me in. Any suggestions or comments will be greatly appreciated. Baris. __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]