Hello, Please let me explain a little more. It is the password that the JDBC realm uses to connect to the database that should be encrypted for example connectionPassword="foobar" should look something like connectionPassword="3dc69416b0783cac9f3dda37b6bb0862". I have been able to deal with user passwords fine using MD5. We have a policy of no developer access to production and staging environments. Thus any passwords in configuration files such as the server.xml require encryption. However I have since created a solution.
I have created my own class that extends org.apache.catalina.realm.RealmBase. It works in a similar way to the tomcat JDBCRealm. I made it available in the tomcat server classpath under server/lib. I have configured server.xml like.. <Realm className="com.foo.bar.MyJDBCRealm" debug="99" connectionName="FooBar" userTable="User" userNameCol="userName" userCredCol="password" userRoleTable="UserRole" roleNameCol="roleName" digest="MD5"/> The connectionName="FooBar" uses a JDBC connection pool I have written that supports password encryption. Hence I no longer have clear text passwords in my config file server.xml. In fact maybe this raises a point that it appears that all passwords in config files for tomcat are clear text. For example by looking at the doco for JNDI data sources the configs for JDBC connection pooling using DBCP also have clear text passwords. See .. http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jndi-datasource-examples-how to.html -----Original Message----- From: Andoni [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2003 1:28 AM To: Tomcat Users List Subject: Re: JDBC Realm Can you please explain this a little better. You have in your database a list of all your user's passwords encrypted using MD5. Do you also have a clear text copy of them? Then you want to encrypt this clear text copy for use in your configuration files? If you don't already have a cleartext copy of the passwords you are going to have to get your users to submit them as your MD5 version is useless. You could amend your application to read the password, store it in the clear, then compare it using MD5. Then as they all log in they will have given you a copy of their password. Andoni. ----- Original Message ----- From: "Gardner, David [IT]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 28, 2003 3:15 AM Subject: JDBC Realm > I have a JDBC Realm configured against a sybase database and it works fine. > See below I have changed the details for obvious security reasons. > > <Realm className="org.apache.catalina.realm.JDBCRealm" > debug="99" > driverName="com.sybase.jdbc2.jdbc.SybDriver" > connectionURL="jdbc:sybase:Tds:foo.au.bar.com:666/foo_bar" > connectionName="foobar" connectionPassword="foobar" > userTable="User" userNameCol="userName" userCredCol="password" > userRoleTable="UserRole" roleNameCol="roleName" digest="MD5"/> > > I also have the user passwords encrypted using MD5 and this works fine. > However we have a need to have all clear text passwords encrypted in > configuration files. I need this realm to work with the connectionPassword > value foobar encrypted. Does anyone know if this has been done and is there > a patch of some sort available? > > > > David Gardner > Software Developer > Cititech > Level 11, 2 Park Street > Sydney NSW Australia 2000 > > Phone: (+612) 8225 4803 > Fax: (+612) 8225 > Email: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]