-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Азат,
On 1/21/20 8:38 AM, Усманов Азат Анварович wrote: > Hello everyone! I was recently reading this mailing list and found > the question by > jonmcalexander<https://www.mail-archive.com/search?l=us...@tomcat.apac he.org&q=from:%22jonmcalexander%22> > about currently supported digest algorithms, looking through > replies,I found a great presentation by Cristopher Schultz about > credential security, I have one question though if I have my > credentials stored in a datasource Realm with old md5 digest set up > like this <Realm > className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/****" digest="MD5" roleNameCol="RoleName" > userCredCol="PWD" userNameCol="UserName" > userRoleTable="educ.ad_UserRoles" userTable="educ.ad_Users"/> where > pwd is the column name which stores md5 hash how do I specify > column where more secure PBKDF2 version of the password (f I > want to keep old md5 as fall back option) is stored with the more > secure configuration example like this one (copied directly from > presentation slides ) My recommendation would be to make sure that either password can be stored in the same field, and then use a single field for whichever password storage strategy has been used. > <Realm className="org.apache.catalina.realm.DataSourceRealm"...> > <CredentialHandler > className="org.apache.catalina.realm.NestedCredentialHandler"> > <CredentialHandler > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > /> <CredentialHandler > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > > algorithm="MD5" /> > </CredentialHandler> </Realm> > > or do I just need to increase the size of PWD column to fit the > new pbkdf2 hash and PWD would store either md5 or pbkdf2 depending > if user has changed their password or not? Yes, this is exactly what I would recommend doing: expand your existing password field to make sure it can fit the (likely longer) PBKDF2 stored credential. Remember that you need to aggressively "upgrade" those user passwords. I would recommend setting everyone's accounts to "must change password" if they still have an old MD5-hashed password. This will cause every user to create a higher-security stored-credential the next time they login to your application. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4nHVkACgkQHPApP6U8 pFhlDhAAnF6IiiJFNWRJHZ2XNKYJu4Px8ftGwOGIvmc8DnZ1Ky/QuoltFOgdGJfC RcWi/i4rovovA/TTiLNiyoUSZSBFHu2+W3BImb48FurucBsjaDOk7LDZyD4dqDfo MDcW6N4yUmj0NJega+0GpxYMKPoMyAQGEXNfaw7YYkWuocry/JSJGU4rvtwNHrOC 6yAdO44+JKclNAb+ZcO8lsjw2B/dCLqzKdFBlRuM8wraylQA2YtYqo2t1jS0q2UO RCeL72Go+N1OuoD3OOkvjSI3Qds8pTBUn2wLgO9uVtAOcw5PUauC5wM4wUu2kGLw WZQ5A1j775ZzivKFR++/zozsT+omLQLl2+DfmMkMzqWLqw1dYc38/oQNwzY630C/ 9xJyyq2SaJVRC9KMVU9pOnLU09sipSCFYeul1zvPk7WAhFWPc6tCYkrsDxV9K1IF CxinXWNK7V3uOd5cK93YoXA52Ar7dIRYLtoeQvq6hNInsfm6xhPa8a97WtV0HCOF r/yYJdRycGcJKHdziLuHn2y05lok9NQDl97ypEcyuMERax4hEIS86c8dqH8w1xLo OglU5TJBNCp96brkFWGKTlXB1LXHIFp/2AVqAF8SohLxwx2mNSwd1l4GkN2CtlhG SCpe9+RHiu+lQMLSVoryGCCNe1URiC7WbakZlXHOWGFWD4S3ql4= =MNOa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
