> On Sep 26, 2014, at 17:03, Mark Thomas <ma...@apache.org> wrote: > > On 26/09/2014 16:45, Christopher Schultz wrote: > >>> +1 for commit. >> >> Are you up for back-porting this to Tomcat 7? > > Hmm. Not sure at this point. I'd like to give it sometime to settle in > to 8.0.x first.
I understand wanting to wait a bit, but at the same time I am eager to see this in tomcat7, because that's what is available in Ubuntu repositories for 14.04 LTS. Pluggable password derivation is a great feature and a security enhancement that allows admins to follow best practice, so we should make it easy for those who stick with what's available in the repository to enjoy the benefits. > >> I noticed that you >> committed to trunk in smaller pieces rather than a single commit. Was >> that to make it easier to back-out certain items if necessary? > > More so folks could see how the solution evolved. > >> Finally, I'd like to write an implementation for bcrypt which is quite >> popular, but we have already discussed not wanting to have a build-time >> dependency on anything we don't absolutely need (a policy with which I >> totally agree). > > Can you point me to that discussion (where no doubt I will have taken > completely the opposite position to the one I am about to take). > > Build time dependencies don't bother me as long as: > - they are required for release (so we don't break things) > - they are optional for other build targets (so folks can still build a > working instance without them) > > So I'd be +1 for BcryptCredentialHandler that shipped with Tomcat but > required the user to manually add one or more JARs to make it work. > >> Where would be the best place to put a bcrypt implementation? Source >> code on the wiki? There's the possibility of writing an implementation >> using reflection, but that prospect is quite horrifying to me. :) > > I'm leaning towards "in the source tree" but if you wanted to put it > somewhere else, the wiki is as good as anywhere. > > Mark > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
