-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sreyan,
On 8/24/15 1:19 PM, Sreyan Chakravarty wrote:
> No you don't understand what my question was. Say I do something
> like this-:
>
> String password = request.getParameter("passwd");
>
> long salt = // get salt from SecureRandom
>
> String password = salt + password;
>
> String hash = encrypt(password) // Use some encryption like bCrypt
>
> storeInDb(hash); // Stores it in User Table along with user-id and
> role
>
> Now when I am querying from the database using a DataSourceRealm
> for example. How do I replicate the exact hashing procedure.
You are circling the right answer: you use a CredentialHandler for
this. You may have to write your own if the built-in ones don't
support your hashing strategy.
> I can obviously store the salt value in another column but how can
> I tell the Realm or CredentialHandler to use the salt and then hash
> the password there is obviously no salt attribute in the
> CredentialHandler.
There is a salt *length* attribute, but that's how many random bits to
use when creating a new stored-credential.
The CredentialHandler docs[1] have examples of how to store the
password in the database. If you are using digest + salt + iterations,
then you want to store the password in the db table like this:
salt$iterationCount$encodedCredential
Those are literal $ symbols between the 3 different components of the
stored credential. The salt and encodedCredential should be in
hex-encoding (e.g. "abc" = "979899"). The iteration count should be a
simple integer like "1000". (I highly recommend using a very large
number of iterations... something that takes ~2s on a modern machine
ought to be appropriate).
> So in other words how do I replicate the exact same hashing
> procedure while retrieving the password to that I used when I was
> storing the password in the database.
>
> Is there a way to use the Realm to insert the user-id and password
> into the database ?
No, but you can feel free to instantiate the same kind of
CredentialHandler with the same settings and then use the mutate()
function to see what the CredentialHandler will produce from a given
input.
> Because that seems like the most straight forward approach. I don't
> know why there isn't an API for doing just that in Tomcat.
CredentialHandler.mutate will mutate the credentials. It's up to you
to store them wherever makes the most sense.
> What good is having saltlength in CredentialHandler if its not
> going to use it to create a password.
See above.
> Salts have to be specified differently and Tomcat just cannot
> assume the first 20 characters (specified in the saltlength
> property) to be the salt.
See above.
> So how can I store the credentials in the database and get them
> back using the same hashing procedure ?
>
> And why hasn't the documentation included sufficient number of
> examples of this process.
Because it's been written by people who knew what the process was and
didn't know the right questions to answer.
> No one seems to know anything about it.
Really? Who have you asked? I know a fair bit about it, and I'm trying
to answer your questions.
I'm happy to help; don't be so grouchy about asking questions,
especially if someone is willing to reply and help you out.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV21u6AAoJEBzwKT+lPKRYH9QP/0CykG/8FCXdTuATjeam05oa
5ru2NO1Z44bwp932GvlPuNcySEeB+1CkYEzqtiBk/vPPalFrYAKq2SRqtba7nHnl
RB0z1lM43OoGGuHkCyXs87xdZjD2BDCG+9pNMnZqymkzbQUsVV96UFOO1d3vHQK4
ZC6qsXBtVBjMfKO1+bOiZ+zrUKavMShtxve798OO7M+tvbqVAG7jvFI+BL0yQqXk
SgcxdOY30NU3jcl7GZh/JkrvcKgULNRUgMPSmDNedMI38zK4hEhTBo2xuf6yRVos
COizoJ9zduRVfnMZKhG9TRBvmuJFFkQuaUNIr1Yrt/HKicA3y86ZaiJZzmt8FS4h
YV/uLfZkPt2w3Ip2CoPozYE5Vp+si4N6TPTCcfKmYlCBh2Qc3jl1FbXAdw7zkfz1
b/abID3ISAMrXEbcuFakLI+eYi/+km8JRNk3wLBX5xmg4ZF8CPIgNGBK8w39Gmaz
x5gW3iv6p/h6iT0lE8cri4Lm4kTeQv9F/t04Z2TvN7HeQf7OBQEh8B7ZsVGurbKG
vO4NlSU1inTMs94P4Y4WVDDcFOZIFC0ny6dseFBmeWBVpBRPKnMdjVPzBjBh6Wsr
1Q1U880EXFLrg+bAC69+qqV2GgvlKqvItFB9P2VZ1PXSEnVGTGFFK65Yh1KDtAgG
dRGp4gxRJzlmRshreCqn
=zsRW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
