-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 8/24/15 1:19 PM, Sreyan Chakravarty wrote: > No you don't understand what my question was. Say I do something > like this-: > > String password = request.getParameter("passwd"); > > long salt = // get salt from SecureRandom > > String password = salt + password; > > String hash = encrypt(password) // Use some encryption like bCrypt > > storeInDb(hash); // Stores it in User Table along with user-id and > role > > Now when I am querying from the database using a DataSourceRealm > for example. How do I replicate the exact hashing procedure. You are circling the right answer: you use a CredentialHandler for this. You may have to write your own if the built-in ones don't support your hashing strategy. > I can obviously store the salt value in another column but how can > I tell the Realm or CredentialHandler to use the salt and then hash > the password there is obviously no salt attribute in the > CredentialHandler. There is a salt *length* attribute, but that's how many random bits to use when creating a new stored-credential. The CredentialHandler docs[1] have examples of how to store the password in the database. If you are using digest + salt + iterations, then you want to store the password in the db table like this: salt$iterationCount$encodedCredential Those are literal $ symbols between the 3 different components of the stored credential. The salt and encodedCredential should be in hex-encoding (e.g. "abc" = "979899"). The iteration count should be a simple integer like "1000". (I highly recommend using a very large number of iterations... something that takes ~2s on a modern machine ought to be appropriate). > So in other words how do I replicate the exact same hashing > procedure while retrieving the password to that I used when I was > storing the password in the database. > > Is there a way to use the Realm to insert the user-id and password > into the database ? No, but you can feel free to instantiate the same kind of CredentialHandler with the same settings and then use the mutate() function to see what the CredentialHandler will produce from a given input. > Because that seems like the most straight forward approach. I don't > know why there isn't an API for doing just that in Tomcat. CredentialHandler.mutate will mutate the credentials. It's up to you to store them wherever makes the most sense. > What good is having saltlength in CredentialHandler if its not > going to use it to create a password. See above. > Salts have to be specified differently and Tomcat just cannot > assume the first 20 characters (specified in the saltlength > property) to be the salt. See above. > So how can I store the credentials in the database and get them > back using the same hashing procedure ? > > And why hasn't the documentation included sufficient number of > examples of this process. Because it's been written by people who knew what the process was and didn't know the right questions to answer. > No one seems to know anything about it. Really? Who have you asked? I know a fair bit about it, and I'm trying to answer your questions. I'm happy to help; don't be so grouchy about asking questions, especially if someone is willing to reply and help you out. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV21u6AAoJEBzwKT+lPKRYH9QP/0CykG/8FCXdTuATjeam05oa 5ru2NO1Z44bwp932GvlPuNcySEeB+1CkYEzqtiBk/vPPalFrYAKq2SRqtba7nHnl RB0z1lM43OoGGuHkCyXs87xdZjD2BDCG+9pNMnZqymkzbQUsVV96UFOO1d3vHQK4 ZC6qsXBtVBjMfKO1+bOiZ+zrUKavMShtxve798OO7M+tvbqVAG7jvFI+BL0yQqXk SgcxdOY30NU3jcl7GZh/JkrvcKgULNRUgMPSmDNedMI38zK4hEhTBo2xuf6yRVos COizoJ9zduRVfnMZKhG9TRBvmuJFFkQuaUNIr1Yrt/HKicA3y86ZaiJZzmt8FS4h YV/uLfZkPt2w3Ip2CoPozYE5Vp+si4N6TPTCcfKmYlCBh2Qc3jl1FbXAdw7zkfz1 b/abID3ISAMrXEbcuFakLI+eYi/+km8JRNk3wLBX5xmg4ZF8CPIgNGBK8w39Gmaz x5gW3iv6p/h6iT0lE8cri4Lm4kTeQv9F/t04Z2TvN7HeQf7OBQEh8B7ZsVGurbKG vO4NlSU1inTMs94P4Y4WVDDcFOZIFC0ny6dseFBmeWBVpBRPKnMdjVPzBjBh6Wsr 1Q1U880EXFLrg+bAC69+qqV2GgvlKqvItFB9P2VZ1PXSEnVGTGFFK65Yh1KDtAgG dRGp4gxRJzlmRshreCqn =zsRW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org