2014-10-22 14:22 GMT+04:00 Mark Thomas <ma...@apache.org>: > On 17/10/2014 14:13, Konstantin Kolinko wrote: >> 2014-09-30 19:22 GMT+04:00 Konstantin Kolinko <knst.koli...@gmail.com>: >>> 2014-09-29 14:43 GMT+04:00 Mark Thomas <ma...@apache.org>: >>>> On 27/09/2014 15:52, Konstantin Kolinko wrote: >>> (....) >>> >>>>> 4) The current javadoc for RealmBase.main() says that algorithm (-a) >>>>> is not required and "If not specified a default of SHA-512 will be >>>>> used." >>>>> >>>>> I wonder whether that is justified. >>>> >>>> That is what is currently implemented. Happy to discuss changes but >>>> SHA-512 doesn't seem unreasonable to me. >>> >>> >>> I think there is a contradiction between -a <algorithm> and -h >>> <credential handler implementation class> keys: >>> 1) If -h is used I think it shall default to whatever default >>> algorithm the credential handler implements. >>> 2) Custom credential handler implementations may lack setAlgorithm() method. >>> >>> I think that one of (-a, -h) is required, with no default for either. >>> The old code had no default for algorithm. > > I agree with the two issues above but I have a different solution. > > If neither -a or -h is specified, SHA-512 and > MessageDigestCredentialHandler will be used. > > If only -a is specified, the built-in handlers will be searched in order > (MessageDigestCredentialHandler, SecretKeyCredentialHandler) and the > first handler that supports the algorithm will be used. > > If only -h is specified, no default will be used for -a. The handler may > or may nor support -a and may or may not supply a sensible default.
OK for me, if you find SHA-512 default useful. It is just my personal preference to ask the caller to specify algorithm name explicitly. (The actual algorithm that a user needs depends upon how the realm is configured in server.xml/context.xml. I think that not much typing is saved by having a default here. I think that many tools such as openssl do not have default algorithm names in their command line. E.g. I do not see any default for "genpkey" command https://www.openssl.org/docs/apps/genpkey.html ) I filed an issue for further improvements, https://issues.apache.org/bugzilla/show_bug.cgi?id=57130 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
