Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Other Security APIs, Tools, and Issues

JDBCRealm with digested passwords.

Hi,

I've sucessfully set up a JDBCRealm to accept users and there log in details but the passwords are currently cleartext. I need to encrypt them with MD5.

I've followed the instructions here:

http://tomcat.apache.org/tomcat-3.3-doc/JDBCRealm-howto.html

so I've added digest="MD5" to the Realm element in my server.xml file. The way i am trying to enter the user name and encrypted password details into the DB is as follows.

stmt.executeUpdate(

"insert into users values('" + this.getUserName() +

"\', md5('" + this.getUserPassword() + "'));" );

But I see in the instructions something about a static encryption method:

finalpublicstatic String digest(String password,String algorithm).

in org.apache.tomcat.modules.aaa.RealmBase

It says "the jar where RealmBase class can be found is %TOMCAT_HOME%/lib/container/tomcat_modules.jar" I do not have this jar in my tomcat installation. I am using tomcat 5.0.28. Can anyone give me any tips or links to help me get this working.

Cheers,

Joe.

[1186 byte] By [josephquinn80a] at [2007-11-27 3:21:24]
«« Class.this.method overriding inheritance trying to understand
»» j2me application for several phones
# 1

Hi Ive made some progress on this. It seems the MD5 encryption mysql uses differs slightly from the MD5 encryption tomcat uses. So I am trying to use MD5 encryption in tomcat to encrypt the password before inserting it into the DB. Heres the code I'm trying to use Note for now i have hardcoded the username to be root and the password to be password:

public String getDigestedPassword()

{

try {

// Obtain a new message digest with "digest" encryption

MessageDigest md = (MessageDigest) MessageDigest.getInstance("MD5").clone();

// encode the credentials

md.update("password".getBytes());

// Digest the credentials and return as hexadecimal

return (HexUtils.convert(md.digest()));

} catch(Exception e) {

sm_log.error( "Error creating user", e );

}

}

Then in another method I have this:

ResultSet result = stmt.executeQuery(

"select * from users where user_name='root' and user_pass ='" +

this.getDigestedPassword() + "'" );

if(!result.first()){

result.moveToInsertRow();

result.updateString( 2, "root" );

result.updateString( 3, this.getDigestedPassword() );

result.insertRow();

}

However I am having trouble finding the class HexUtils. I am getting this error:

java.lang.NoClassDefFoundError: org/apache/tomcat/util/buf/HexUtils

Am i missing something from my class path Is there a jar file I need. Any help appreciated.

Cheers,

Joe.

josephquinn80a at 2007-7-12 8:24:08 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security New Topic

Security Hot Topic

Security

All Classified