-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefan,
On 4/27/16 11:16 AM, Stefan Frei wrote: > Tomcat 8.0.33 > > i need some help with credentialhandler in datasourceRealm. > > I wan t to achieve a encrypted password, if possible with salt. > > Encryption SHA-512 or similar. Technically that's a hash, not an encrypted credential. "Encryption" generally means that it's reversible, and hashes, etc. are not reversible (at least not directly). > is there a example somewhere how to modify the realm, i couldnt > find anything in the docs. > > Realm looks like this atm. Its working, but passwords are stored in > plain text. > > <Realm className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/sandbox" localDataSource="true" > roleNameCol="rolename" userCredCol="password" > userNameCol="username" userRoleTable="roles" userTable="users"> Realms never write passwords out, so they are stored in whatever form *you* decided to store them. https://tomcat.apache.org/tomcat-8.0-doc/config/credentialhandler.html Since you have declared no <CredentialHandler> element inside your <Realm>, you are getting the default CH: MessageDigestCredentialHandler. The default algorithm for MDCH is plaintext (i.e. "none"). If you want to change that, you'll have to add your own <CredentialHandler> element and configure it however you want. Since you have plaintext passwords in the database now, you might want to convert them to whatever scheme you decide to use (e.g. salted SHA-256). You can do that using RealmBase from the command-line: $ $CATALINA_HOME/bin/digest.sh Unfortunately, that command doesn't have any "help" you can run to find out what the parameters mean exactly, but the source does have that detail (apologies for the lack of formatting... I'm not going to re-format this manually): * <li><b>-a</b> - The algorithm to use to generate the stored * credential. If not specified a default of SHA-512 will be * used.</li> * <li><b>-e</b> - The encoding to use for any byte to/from characte r * conversion that may be necessary. If not specified, the * system encoding ({@link Charset#defaultCharset()}) will * be used.</li> * <li><b>-i</b> - The number of iterations to use when generating t he * stored credential. If not specified, the default for the * CredentialHandler will be used.</li> * <li><b>-s</b> - The length (in bytes) of salt to generate and store as * part of the credential. If not specified, the default for * the CredentialHandler will be used.</li> * <li><b>-k</b> - The length (in bits) of the key(s), if any, created while * generating the credential. If not specified, the default * for the CredentialHandler will be used.</li> * <li><b>-h</b> - The fully qualified class name of the CredentialHandler * to use. If not specified, the built-in handlers will be * tested in turn and the first one to accept the specified * algorithm will be used.</li> Run each of your passwords through that to get the encoded form, then use the same parameters to configure your <CredentialHandler>. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcg4AYACgkQ9CaO5/Lv0PDkNgCfeCS9e1wHy81qOcvyglbjqW3l DsoAnAhUo/LNR21DRFkW/RhrcEfpm+Ns =fZL4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
