Mark, On 9/25/14 9:18 AM, Christopher Schultz wrote: > Mark, > > On 9/24/14 12:27 PM, Mark Thomas wrote: >> On 24/09/2014 16:59, Christopher Schultz wrote: >>> Mark, >>> >>> On 9/24/14 5:00 AM, Mark Thomas wrote: >>>> On 23/09/2014 10:49, Mark Thomas wrote: >>>>> On 23/09/2014 00:56, "Gabriel E. Sánchez Martínez" wrote: >>>>>> >>>>>> On 09/17/2014 04:36 AM, Mark Thomas wrote: >>>>>>> On 16/09/2014 22:14, Christopher Schultz wrote: >>>>>>>> Mark, >>>>>>>> >>>>>>>> On 9/16/14 3:39 PM, Mark Thomas wrote: >>>>>>>>> Updated patch: >>>>>>>>> http://people.apache.org/~markt/patches/2014-09-16-bug56403-tc8-v2.patch >>>>>>>>> >>>>>> It's looking good! >>>>> >>>>> I have an updated version I need to upload that addresses the remaining >>>>> issues. >>>> >>>> Version 3: >>>> http://people.apache.org/~markt/patches/2014-09-24-bug56403-tc8-v3.patch >>> >>> Looks good. >>> >>> I'm just curious: why did you call the class that does PBKDF2 >>> PBECredentialFilter? Does that stand for "Password-based >>> encryption/encoding"? >> >> It does. >> >>> PBE is often used for "password-based encryption" but here we aren't >>> actually doing any encryption; we're just doing the password part. >>> Naming this class is tough because technically it can use any algorithm >>> that works with Java's SecretKey API. >> >> SecretKeyCredentialHandler? >> >>> Also, why does ConcurrentMessageDigest.digest have a varargs byte[] >>> parameter? Is it useful to be able to accept more than one byte array to >>> that method? >> >> Yes. You want to be able to pass either just the password or the salt >> and the password. > > Gotcha. > > +1 for commit.
Are you up for back-porting this to Tomcat 7? I noticed that you committed to trunk in smaller pieces rather than a single commit. Was that to make it easier to back-out certain items if necessary? Finally, I'd like to write an implementation for bcrypt which is quite popular, but we have already discussed not wanting to have a build-time dependency on anything we don't absolutely need (a policy with which I totally agree). Where would be the best place to put a bcrypt implementation? Source code on the wiki? There's the possibility of writing an implementation using reflection, but that prospect is quite horrifying to me. :) -chris
signature.asc
Description: OpenPGP digital signature
