NonStop Servlets for JSP System Administrator's Guide

Configuring NSJSP

NonStop Servlets for JavaServer Pages (NSJSP) System Administrator’s Guide—525644-001

3-31

Digested Passwords

For each of the standard realm implementations, the user's password (by default) is

stored in clear text. In many environments, this situation is undesirable because casual

observers of the authentication data can collect enough information to log on

successfully and impersonate other users. To avoid this problem, the standard

implementations support the concept of digesting user passwords. This causes the

stored version of the passwords to be encoded in a form that is not easily reversible,

but which the Realm implementation can still use for authentication.

You select digested passwords by specifying the digest attribute on your <Realm>

element. The value for this attribute must be one of the digest algorithms supported by

the java.security.MessageDigest class (SHA, MD2, or MD5). When you select

this option, the contents of the password that is stored in the realm must be the

digested version of the clear text password, as digested by the specified algorithm.

When the authenticate() method of the realm is called, the (clear text) password

specified by the user is itself digested by the same algorithm, and the result is

compared with the value returned by the Realm. An equal match means the user is

authorized.

To calculate the digested value of a clear text password, two convenient techniques

are supported:

•

If you are writing an application that needs to calculate digested passwords

dynamically, call the static Digest() method of the

org.apache.catalina.realm.RealmBase class, passing the clear text

password and the digest algorithm name as arguments. This method returns the

digested password.

•

If you want to execute a command line utility to calculate the digested password,

simply execute

Java org.apache.catalina.realm.RealmBase \

-a {algorithm} {cleartext-password}

and the digested version of this clear text password will be returned to standard

output.

Example 3-25. Realm Element for the OpenLDAP Directory Server

<Realm className="org.apache.catalina.realm.JNDIRealm"

debug="0"

connectionName="cn=Manager,dc=hp,dc=com"

connectionPassword="secret"

connectionURL="ldap://nonstop.hp.com:1025"

roleBase="dc=roles,dc=hp,dc=com"

roleName="cn"

roleSearch="(uniqueMember={0})"

roleSubtree="false"

userPassword="userPassword"

userPattern="cn={0},dc=hp,dc=com"/