https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> 2011-10-05 21:58:49 UTC --- I like this idea (and have been considering it for a while), but I don't like the implementation due to the following reasons: 1. Uses part of the password as the salt, which is not a good idea. Read-up on password salting 2. Reveals the last 4 bytes of the user's password by using it as the salt :( (https://issues.apache.org/bugzilla/attachment.cgi?id=27699&action=diff#orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/RealmBase.java_sec7) 3. Static string "ssha" implies SHA-1 hashing (which is flawed) 4. Hard-coded salt-length ("last 4 bytes = 8 characters" which is incorrect) 5. Overloads RealmBase.digest with a 2-argument version, and then always calls that with null instead of calling the single-arg version 6. Looks like this patch could have been a single minor change to the RealmBase.digest method I would support a patch that: 1. Didn't use part of the password to salt the password itself 2. Allowed the realm configuration to specify the hashing algorithm to use 3. Allowed the realm configuration to specify the salt length -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
