2014-09-25 23:33 GMT+04:00 <ma...@apache.org>:
> Author: markt
> Date: Thu Sep 25 19:33:44 2014
> New Revision: 1627614
>
> URL: http://svn.apache.org/r1627614
> Log:
> Update docs
>
> Added:
> tomcat/trunk/webapps/docs/config/credentialhandler.xml (with props)
>
> Added: tomcat/trunk/webapps/docs/config/credentialhandler.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/credentialhandler.xml?rev=1627614&view=auto
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/credentialhandler.xml (added)
> +++ tomcat/trunk/webapps/docs/config/credentialhandler.xml Thu Sep 25
> 19:33:44 2014
(....)
> + <subsection name="MessageDigestCredentialHandler">
> +
> + <p>The <strong>MessageDigestCredentialHandler</strong> is used when
> stored
> + passwwords are protected by a message digest. This credential handler
> + supports the following forms of stored passwords:</p>
> + <ul>
> + <li><strong>encodedCredential</strong> - a hex encoded digest of the
> + password digested using the configured digest</li>
> + <li><strong>{MD5}encodedCredential</strong> - a Base64 encoded MD5
> + digest of the password</li>
> + <li><strong>{SHA}encodedCredential</strong> - a Base64 encoded SHA1
> digest
> + of the password</li>
> + <li><strong>{SSHA}encodedCredential</strong> - 20 character salt
> followed
> + by the salted SHA1 digest Base64 encoded</li>
> + <li><strong>salt$iterationCount$encodedCredential</strong> - a hex
> encoded
> + salt, iteration code and a hex encoded credential, each separated by
> + $</li>
> + </ul>
I assume that the default configuration of
MessageDigestCredentialHandler is to assume that the password is
stored in plain text. The above list of "forms of stored passwords"
does not mention plain text.
> + <p>If the stored password form does not included an iteration count then
> an
> + iteration count of 1 is used.</p>
Typo: s/does not included/does nor include/, in the copies of this
phrase for other implementations below as well.
> + <p>If the stored password form does not include salt then no salt is
> + used.</p>
> +
> + <attributes>
> +
> + <attribute name="algorithm" required="false">
> + <p>The name of the <code>MessageDigest</code> algorithm
Maybe better to use full class name, "java.security.MessageDigest" as
we are referencing to JRE class name here.
> used
> + to encode user passwords stored in the database. If not specified,
> + user passwords are assumed to be stored in clear-text.</p>
> + </attribute>
> +
> + <attribute name="encoding" required="false">
> + <p>Digesting the password requires that it is converted to bytes.
> This
> + attribute determines the character encoding to use for conversions
> + between characters and bytes. If not specified, UTF-8 will be
> used.</p>
> + </attribute>
Was the legacy implementation using UTF-8 or ISO-8859-1 ?
> + <attribute name="iterations" required="false">
> + <p>The number of iterations to use when creating a new stored
> crendtial
> + from a clear text credential.</p>
> + </attribute>
> +
> + <attribute name="saltLength" required="false">
> + <p>The length of the randomly generated salt ot use use when
> creating a
> + new stored crendtial from a clear text credential.</p>
Typos: s/ot/to/ ,
s/crendtial/credential/ (the latter typo occurs in many places in this text)
> + </attribute>
> +
> + </attributes>
> +
> + </subsection>
> +
> + <subsection name="NestedCredentialHandler">
I guess that one cannot nest NestedCredentialHandler into
NestedCredentialHandler ?
(The same as with nesting Realms - you have to set a system property
to configure digester rules to process more than 3 nested levels of
Realms).
> + <p>The <strong>NestedCredentialHandler</strong> is an implementation of
> + <strong>CredentialHandler</strong> that delegates to one or more
> + sub-CredentialHandlers.</p>
> +
> + <p>Using the <strong>NestedCredentialHandler</strong> gives the developer
> + the ability to combine multiple <strong>CredentialHandler</strong>s of
> the
> + same or different types.</p>
> +
> + <p>Sub-CredentialHandlers are defined by nesting CredentialHandler
> elements
> + inside the <code>CredentialHandler</code> element that defines the
> + NestedCredentialHandler. Credentials will be matched against each
> + <code>CredentialHandler</code> in the order they are listed. A match
> against
> + any CredentialHandler will be sufficient for the credentials to be
> + considered matched.</p>
> +
> + </subsection>
> +
> + <subsection name="PBECredentialHandler">
> +
> + <p>The <strong>PBECredentialHandler</strong> is used when stored
> passwwords
> + are built using password based encrytpion. This credential handler
> supports
> + the following forms of stored passwords:</p>
> + <ul>
> + <li><strong>salt$iterationCount$encodedCredential</strong> - a hex
> encoded
> + salt, iteration code and a hex encoded credential, each separated by
> + $</li>
> + </ul>
> +
> + <p>If the stored password form does not included an iteration count then
> an
> + iteration count of 1 is used.</p>
> +
> + <p>If the stored password form does not include salt then no salt is
> + used.</p>
> +
> + <attributes>
> +
> + <attribute name="algorithm" required="false">
> + <p>The name of the password based encryption algorithm used
> + to encode user passwords stored in the database. If not specified, a
> + default of <code>PBKDF2WithHmacSHA1</code> is used.</p>
> + </attribute>
> +
> + <attribute name="keyLength" required="false">
> + <p>The length of key to generate for the stored credential. If not
> + specified, a default of <code>160</code> is used.</p>
> + </attribute>
> +
> + <attribute name="iterations" required="false">
> + <p>The number of iterations to use when creating a new stored
> crendtial
> + from a clear text credential.</p>
> + </attribute>
> +
> + <attribute name="saltLength" required="false">
> + <p>The length of the randomly generated salt ot use use when
> creating a
> + new stored crendtial from a clear text credential.</p>
> + </attribute>
> +
> + </attributes>
> +
> + </subsection>
> +
> +</section>
> +
> +
> +<section name="Nested Components">
> +
> + <p>If you are using the <em>NestedCredentialHandler Implementation</em> or
> a
> + CredentialHandler that extends the NestedCredentialHandler one or more
> + <strong><CredentialHandler></strong> elements may be nested inside
> it.
> + </p>
> +
> +</section>
> +
> +
> +<section name="Special Features">
> +
> + <p>No special features are associated with a
> + <strong>CredentialHandler</strong> element.</p>
> +
> +</section>
> +
> +</body>
> +
> +</document>
>
> Propchange: tomcat/trunk/webapps/docs/config/credentialhandler.xml
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
