NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

371

372

373

374

375

376

377

378

379

380

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-28

Digested Passwords

For each standard Realm implementation, the user's password (by default) is stored in

plain text. In most environments, this situation is not acceptable because casual

observers of the authentication data can collect enough information to log on

successfully and impersonate other users. To avoid this problem, the standard Realm

implementations support the concept of digesting user passwords. Digesting

passwords causes the stored version of passwords to be encoded in a form that is not

easily reversible but which the Realm implementation can still use for authentication.

You can enable digested passwords by specifying the digest attribute in the Realm

element. The value for this attribute must be one of the digest algorithms supported by

the java.security.MessageDigest class (such as SHA or MD5).

When you specify this option, the contents of the password that are stored in the

Realm must be the digested version of the plain text password, as digested by the

specified algorithm. When the authenticate() method of the Realm is called, the

(plain text) password specified by the user is digested by the same algorithm, and the

result is compared with the value returned by the Realm. A match means that the user

is authorized.

To calculate the digested value of a plain text password, you can use the following

techniques:



If you are writing an application that needs to calculate digested passwords

dynamically, call the static Digest() method of the

org.apache.catalina.realm.RealmBase class, passing the plain text

password and the digest algorithm name as arguments. This method returns the

digested password.



A command-line utility (nsjsp_digestPassword) is available to calculate the

digested password.

Enter the following at the command-line prompt:

<NSJSP_HOME>/conf/nsjsp_digestPassword {digest algorithm}

{cleartext-password}

The digested version of this plain text password is returned to the standard output.

Single Sign-On

You can use the single sign-on feature when you wish to provide users the ability to

sign on to any one of the web applications associated with your virtual host, and then

have their identity recognized by all other web applications on the same virtual host.

This feature is provided in the form of a valve called SingleSignOn. The single sign-

on facility operates according to the following rules:



All web applications configured for this virtual host must share the same Realm.

This means you can nest the Realm element inside this Host element (or the