Bug 45871

Summary: Support for salted and digested patches in DataSourceRealm
Product: Tomcat 6 Reporter: Brandon DuRette <brandond>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED DUPLICATE    
Severity: enhancement Keywords: PatchAvailable
Priority: P2    
Version: unspecified   
Target Milestone: default   
Hardware: PC   
OS: All   
Attachments: Patch for DataSourceRealm (trunk)

Description Brandon DuRette 2008-09-23 21:46:21 UTC
Created attachment 22627 [details]
Patch for DataSourceRealm (trunk)

Simple hashing of passwords stored in databases is no longer sufficient security for passwords. The root of the issue is that users are bad at remembering strong passwords, so they choose weak ones. Weak passwords when hashed can be reversed using available rainbow tables and cracking software. To combat this, passwords should be uniquely "salted" before being hashed and stored in the database. 

The attached patch enhances DataSourceRealm to allow it to authenticate against a salted digested password. If configured to use salt, the user's salt is queried from the database and then combined with the user's provided credentials using a configurable MessageFormat before digesting. Authentication proceeds otherwise unchanged.

A similar patch could, and arguably should, be applied to JDBCRealm, but based on some discussion on the list about deprecating JDBCRealm (and because I don't use JDBCRealm personally), I did not work on JDBCRealm. I would be happy to port this patch to JDBCRealm if that's desired.

Limitation(s):

This patch does not impact the behavior of the RFC 2069 authentication method in RealmBase.

If/when this patch is accepted, the documentation for DataSourceRealm will need to be updated. I'll gladly volunteer to do those updates as well.

http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Rainbow_table
Comment 1 Wesley 2010-08-27 14:00:42 UTC
I'd love to see the salt feature applied.
Comment 2 Mark Thomas 2011-10-28 22:14:06 UTC
The duplicate has a more complete (covers more realms) and less invasive (doesn't require an additional column) patch.

*** This bug has been marked as a duplicate of bug 51966 ***