Christopher Schultz wrote:
The code has already been written. http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf Read the whole thing, but what you are really interested in starts on slide #29.
Maybe it's just me but I didn't find anything that's not already in CredentialHandler's javadoc i.e., that reference to: "matches(String inputCredentials, String storedCredentials)" appears to be your: "ch.matches(old_password, stored)" on page 31. If so it looks like they're reversed as you're deriving "stored" from ".mutate(plaintext)" which is counter-inutitive. Also didn't find anything elsewhere on the net. The reason for this may be that there is no documentation describing the format of storedCredentials (arg 2, or is it arg 1) or even why a second arg is needed. Should this be the hash string from the password database? If so it doesn't appear to work. Do we also need to derive the algorithm, saltLength and iterations from server.xml? All I'm looking for is a simple boolean from something like CredentialHandler.validate(plaintext). Roger --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
