Christopher what I am planning to do is getting the source of an open source sCrypt library and actually copy pasting the source code into the ScryptCredentialHandler.java. Since I am no security expert.
Now this eliminates the compile time dependency but if the open source scrypt library is updated then the Handler must be updated accordingly. Is that a good design plan ? Also I am confused about how to create the jar. For example I create the project in eclipse under say a package called test.handler, how do I write my code so that it becomes a part of org.catalina.realm ? Regards Sreyan Chakravarty On Mon, Aug 31, 2015 at 8:12 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 8/29/15 4:54 PM, Sreyan Chakravarty wrote: > > Now can you tell me how do I write my own custom credential > > handler. Planning one that uses sCrypt. > > Just create a new class that implements the CredentialHandler > interface. Of course, that means you'll have to build against the > Tomcat API and you will also have to put your .class file in a JAR > file in Tomcat's lib/ directory. > > If you're writing an scrypt CredentialHandler, consider donating it to > the community. > > It's just two methods: mutate(String) and matches(String,String) so it > should be pretty easy to do. > > > How can I write it and reference that same CredentialHandler in > > the context.xml like > > > > <CredentialHandler class="custom handler"></CredentialHandler> > > Take a look at the code for SecretKeyCredentialHandler: > http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catali > na/realm/SecretKeyCredentialHandler.java?view=markup > > That class is mostly accessors and mutators, and the "matches" method > mostly delegates to the parent class's "matches" method (which calls > back to the SKCH's mutate() method). You may be able to get away with > that dispatch strategy and so your class might be as simple as SKCH. > > I'm happy to help build this CredentialHandler with you. It was my > plan to build one a while back, but the fact is that the team doesn't > want a compile-time dependency on any particular scrypt library. But > it could be put into the Tomcat wiki in source form, or it's possible > we could put it into a kind of "contributed" directory in svn that > doesn't get built for releases, but is available as source for anyone > to use. > > (Also, a bcrypt-based CredentialHandler would be trivial once an > scrypt-based one was done.) > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5GfQAAoJEBzwKT+lPKRYLDEQAMuFbNuUin3iQnEpdc4NF9YO > oWCeK/fLgp9EqhZnId+L7dkMGye1EYOLWg/19wKdxG0eBBknOJxsMibjbjtiZe6y > P/afckEkgYdY5uoZLN4ZcoYnN+p4Ex35SNSS2qmkrrgA0MdFhLq6Os21kiYhvDnC > 4GgfKvIVt9T18ryoXCWtYVnP3N2YcLo3YzdDLbOgB1uWVhf6VAiPtjdsnnBArqQu > b1y8POXXlKsIrBFLo5VKykry0r7fh6E/xBGkhBvqfs3zhtZ2dJo6OW1s4RExebJK > uAUUpsa7yCP0QZHIGHcmLj9D7rWY6hxWGc+Az14siMmNDQQpnON+xwf/KxCKCaEw > GR0BEIbA5xsuFUPuIeTXiGiMH0rA9A8aPA/EFP6b+VaGZ5jTife2UYj2LYWKyYOh > V5vKY5sLHNL+9625zGiHVVz1UTJ7oRXQ+BqUrRPZhdequHUiOtxaHhT3D10lNPJ1 > BNHtL6rprLOeC3r4z7PcxqoxmWz9zz8+BOvLPwcmT3MUfEFEXDR6xJletE8uhMrF > iaxA5LI+3UDVHFDeMxW9b6up7RfMd+1CC1tOa8LU4uNcd8gkHEf4pGw42uOYPFXo > tkG96A58lxUXCujFxNGPkk2mVdzkMASTreG1mhhFhXu14qT1TY93HshX+lrrMxxI > SkJAIsJdkFSUrR8k0J3v > =zEGV > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
