-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chuck,
On 6/13/13 4:40 PM, Caldarale, Charles R wrote: >> From: Jane Muse [mailto:jm...@rocketsoftware.com] Subject: RE: >> Class cast exception when starting tomcat 7.0.1 > >> I had catalina.jar in WEB-INF/lib. > > Very, very bad move. > >> It's needed because we have an implementation of Realm to store >> an encrypted tomcat password users enter in the webapp. > > Your custom implementation of Realm should be in Tomcat's lib > directory, not the webapp's. See: > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#What_is_a_Realm? > > Such a Realm should not be tied into the operation of any webapp, > other than configuring the webapp to use it. > >> If I remove it and add the catalina.jar from tomcat_home/lib to >> the classpath > > Not sure what you mean by adding it to the classpath; please > explain. > >> I have to change the signature from >> org.apache.catalina.realm.RealmBase.Digest(String, String) to >> org.apache.catalina.realm.RealmBase.Digest(String, String, >> String). > > That's because internal Tomcat APIs often change between levels. > You certainly cannot count on using an older version of Realm with > a newer Tomcat (or vice versa). > >> Should I not be writing code that needs classes from >> catalina.jar? > > It would certainly be desirable not to be dependent on internal > Tomcat classes. Why do you think a Realm should be storing a > password (encrypted or not) anywhere? A Realm would normally be > reading a password from some controlled storage, not writing to > it. +1 I'm interested in what the custom realm does. Tomcat's realms all support simple hashing via MessageDigest (i.e. no salting, iteration, password-hashing algorithms, etc.) which is often enough for most people (yet I'm not one of them). If you are symmetrically-encrypting your passwords, you are setting yourself up for security problems. If you want to implement something more elaborate (say, you want to implement bcrypt password-hashing instead of MD5), then you'll have to do it yourself. I've been threatening to write-up some patches to allow pluggable password-mangling algorithms into Tomcat Realms, but I have not bothered to do so, yet. If there was more interest in such things, I might be persuaded to be a little more diligent. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRujQTAAoJEBzwKT+lPKRYwcMP/1u6A4gaWA+NpKs1UgpA8Gr/ qvYqcMt2sjRMPsHEd0uGcxa/SThGJHU351myfMNW4VLfvxV2/++nbnJUlILV3vNS 3h7N6LZrBjAc4CC4u5Xx3MMH4cIY1/jSK0Apnp0inN/zQXTOIT12IRQAT/TNRppS xxjxcIseZiiIkcsrDx4RS57EjXPNS0abEknCCWfpdldu3KTiZemXu0Loq4jZYXNv WGit1orL4MFNPEP1CYl5bxaEMfHd4QpSDLY7DG+OQn/AD+xsNuhNwuTc7QI40aLu 9xAN+ebZL1Qo/WmvVQYyMEdPvP8Xc8xSi9uuaaBSnI05I5+tCkSHaZUJZ/JxJrNk wpAxaIxVHC3YQS/PDsLowY2+MIMXCDnZWi/QOg1TiDypLn5bEGNnJWDUa9L8suYc hyMCGAh93eFIbkb/wB4hHNHp2Lzqbg31YVWvY53wEGUL1WRkvVzVTlQjQ8pR1cUz 8UyVOD1nG21KnwgelCgJKf4FWNtyxvah+52lTSP+HDieAt/+mLY4Z6PH5AUEte+2 QvaO6wfcfSfERA8vIy43XWRQXuciWmRtQypdmHeZQ4KI5ajRteyUKLIu2P1wahmT W+6VyVvDm+k7DW9p7l0XodX/ivw+XChmCm5EXZbDqrhkyelX22lv5jSxn4ROzkUg HePguW0/PF6NNBb5BFg0 =Jhko -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
