DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37334>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37334 Summary: Realm digest property not aligned with the administration console functionalities Product: Tomcat 5 Version: 5.0.31 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] I noticed that if you set up the "digest" property on a Authentication Realm (Memory, LDAP or whatever you want) you have to put the password digested directly in the repository but you can't use the administration console because the code allows the correct use of the digested password only in the authenticate method (RealmBase.java) and not in in the addUser one or in the GenericPrincipal class. The effect is that (for example using a Memory local database) the password is set in clear on the configuration file (tomcat-users.xml) and the authentication fails because the system try to chek it after digesting... Here,s the differences: public Principal authenticate(String username, String credentials) { GenericPrincipal principal = (GenericPrincipal)principals.get(username); boolean validated = false; if (principal != null) if (hasMessageDigest()) ....... etc etc (password is checked encrypted) void addUser(String username, String password, String roles) { .... GenericPrincipal principal = new GenericPrincipal(this, username, password, list); principals.put(username, principal); ... (password now is in clear) } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
