Bug 45871 - Support for salted and digested patches in DataSourceRealm
Support for salted and digested patches in DataSourceRealm
Status: RESOLVED DUPLICATE of bug 51966
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
unspecified
PC All
: P2 enhancement with 2 votes (vote)
: default
Assigned To: Tomcat Developers Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-09-23 21:46 UTC by Brandon DuRette
Modified: 2011-10-28 22:14 UTC (History)
0 users



Attachments
Patch for DataSourceRealm (trunk) (7.00 KB, patch)
2008-09-23 21:46 UTC, Brandon DuRette
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon DuRette 2008-09-23 21:46:21 UTC
Created attachment 22627 [details]
Patch for DataSourceRealm (trunk)

Simple hashing of passwords stored in databases is no longer sufficient security for passwords. The root of the issue is that users are bad at remembering strong passwords, so they choose weak ones. Weak passwords when hashed can be reversed using available rainbow tables and cracking software. To combat this, passwords should be uniquely "salted" before being hashed and stored in the database. 

The attached patch enhances DataSourceRealm to allow it to authenticate against a salted digested password. If configured to use salt, the user's salt is queried from the database and then combined with the user's provided credentials using a configurable MessageFormat before digesting. Authentication proceeds otherwise unchanged.

A similar patch could, and arguably should, be applied to JDBCRealm, but based on some discussion on the list about deprecating JDBCRealm (and because I don't use JDBCRealm personally), I did not work on JDBCRealm. I would be happy to port this patch to JDBCRealm if that's desired.

Limitation(s):

This patch does not impact the behavior of the RFC 2069 authentication method in RealmBase.

If/when this patch is accepted, the documentation for DataSourceRealm will need to be updated. I'll gladly volunteer to do those updates as well.

http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Rainbow_table
Comment 1 Wesley 2010-08-27 14:00:42 UTC
I'd love to see the salt feature applied.
Comment 2 Mark Thomas 2011-10-28 22:14:06 UTC
The duplicate has a more complete (covers more realms) and less invasive (doesn't require an additional column) patch.

*** This bug has been marked as a duplicate of bug 51966 ***