-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yuval,
On 5/23/15 7:15 AM, Yuval Schwartz wrote: > I can currently initialize a MessageDigestCredentialHandler object > with my desired salt, iteration and algorithm parameters and then > call the handler's mutate() method before inserting the password > into my database. Good. > And, from a servlet, the HttpServletRequest Object's login() (for > example) method works when inputting the user_name and plain text > password. Good. > However, I am still struggling to create my database input > ({salt}:{iterations}:{hash}) without inputting my desired > parameter (iterations, saltLength, etc.) to a > MessageDigestCredentialHandler, but rather by getting these > parameters (or the CredentialHandler itself) from the servlet. What have you tried? Do you want the remote user to be able to specify the salt size and iterations? I'd advise against that, since users may intentionally reduce their own security (or, worse, intentionally give you an effectively infinite salt or iteration count, which could represent a DOS vulnerability). > Without being able to do this, I don't see the purpose of > specifying these parameters in the nested <CredentialHandler> > element within the <Realm> element of the context.xml file (these > parameters are retrieved from the "storedCredential" when > authenticating meaning they're not used when a method such as > request.login() is performed). The are absolutely used when HttpServletRequest.login() is called. That login() method ultimately calls Realm.authenticate(), which uses the CredentialHandler. The settings in CredentialHandler entirely handle logins for existing users. It looks like you are struggling to create the stores credentials in the first place (e.g. in a "change password" or "register" workflow). > The way my code is now there is no purpose to specifying saltLength > and iterations in the context.xml file. Does that mean you have hard-coded the salt length and iterations in your credential-generating algorithm? I'd advise against that because you may want to modify the salt size or number of iterations in the future, and you don't want to have to re-compile your code to do that. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVYhHEAAoJEBzwKT+lPKRYqjwP/A/+uLxfqKhiYcnnsnz+L64f l4Bwde+wy+QJh5/0A90KVSbBi7BS0x9/khOCm+xjGMNtH7BeApMW+h+haBXEbAZW ANFLLYv+4yJEFuz1Kz3jmtXkdwHpKRf9a7eN7HMwDfslZFaH+HgF1szzzaWVeV9i 398+5R5fiUqZZfVqp6TpZ3rh4TdmtwxbWgNWmiBz5pFrRvg9Uq+vOr6JQBYjsuu0 l9rNepJjHItvxEv+cvCY4xaJjdKhHd4xM2XgTuG60YT7MsItlRvMiYsUnM41oPJU 9KTI30wAC3DacVwj7ChFzQIgAP1NaGfbLFSsie4xqeyS7G4WSAux0uSR/gHtsQzi NDHJSU96R2vu1O5n+kDZyyHYCqLpezXbNMQydMPgoAPQ6lt9HG1T3cA/GUYO83Zy BAKr8D7FJQZyPH7CfNtRUynbZsKIBelhJ9x2SDM3/seJRyEGJvxshHJxwFcATyEk OWppe9IVFL4YaCVl+RAuIvVeLxOczIrTACibgRmmX0TJiqBZFgWFhUbEX+kGhQVN AjTubEIqKaiifzUfkem0cC0bAf4KFQq4vyUbxCJJDY9EJpsB+5ysdr0IzU2qI0Q0 9tP7zAB1n5+fobV/5qr+orMAuGqlucPz5zK6IJqpEqYBp0Duw2+iuiv4jYnxlDgI fCi/4VXuKjprHqM7Aqb7 =Ndq8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org