Encrypting Passwords in Tomcat using Servlets

By: Sam Chen Emailed: 1700 times Printed: 2205 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

In Tomcat, it’s easy to encrypt passwords by adding the digest attribute to a realm definition. The value must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). To expand on the earlier example, the XML snippet shown next adds SHA encrypting to a file-based realm:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" debug="0" resourceName="UserDatabase" digest="SHA" />

To log into the application, you now need to encrypt the password stored in tomcat-users.xml to its encrypted form. You can do this by executing the following command: 

java org.apache.catalina.realm.RealmBase -a SHA {cleartext-password}

where catalina.jar is in the CLASSPATH. Now, copy and paste this new password into the %TOMCAT_HOME%\conf\tomcat-users.xml file. The problem with this method of password encryption is that it might not be portable. Let’s take a look at programmatic encryption. You’ll need to add encrypt.password=true to the build.properties file, pass it in from the command line with ant –Dencrypt.password=true, or edit the default setting in app-settings.xml. If you’re using the binary version (.war file) of this application, simply edit the following <init-param> of the LoginServlet (in the web.xml file):

<init-param>
<param-name>encrypt-password</param-name>
<param-value>true</param-value>
</init-param>

Next, you need to actually encrypt the password within your servlet. To do this, create an encodePassword(String password, String algorithm) method in a StringUtil.java class. This method uses the MessageDigest class from JSSE to encrypt a string:

import java.security.MessageDigest;
public static String encodePassword(String password, String algorithm) {
byte[] unencodedPassword = password.getBytes();
MessageDigest md = null;
try {
// first create an instance, given the provider
md = MessageDigest.getInstance(algorithm);
} catch (Exception e) {
log.error("Exception: " + e);
return password;
}
md.reset();
// call the update method one or more times
// (useful when you don't know the size of your data, e.g. stream)
md.update(unencodedPassword);
// now calculate the hash
byte[] encodedPassword = md.digest();
StringBuffer buf = new StringBuffer();
for (int i = 0; i < encodedPassword.length; i++) {
if (((int) encodedPassword[i] & 0xff) < 0x10) {
buf.append("0");
}
buf.append(Long.toString((int) encodedPassword[i] & 0xff, 16));
}
return buf.toString();
}

This method encrypts a string based on the algorithm you pass in. This algorithm is defined in LoginServlet and configurable when building via the ${encrypt-algorithm} variable. The default setting is SHA.

If you’re using password encryption and also have a retrieve password feature, you’ll probably want to add a password_hint column in your user store. It’s hard enough to remember all the passwords you keep, and it’s annoying when you have to create a new password, so the “send me a hint” tactic is useful.


JSP Home | All JSP Tutorials | Latest JSP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by Sam Chen
Extract filename from full path using perl
Encrypting Passwords in Tomcat using Servlets
malloc, calloc - Storage Management - in C
Character Pointers and Functions in C
Declarations in C
strcpy() and strncpy() sample program in C++
Sample program to draw a rectangle in J2ME
Design Patterns for Properties in a Java Bean
PushbackInputStream example program in Java
FileInputStream - sample program in Java

More Tutorials in JSP
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: `java.net.BindException: Permission denied <null>:80
JSP Alert Example
JSP CheckBox Example
Uploading an Image to a Database using JSP
Uploading a file to a server using JSP
A JSP page that gets properties from a bean
The page Directive in JSP
The taglib, tag, include, attribute and the variable Directive in JSP
Declarations in JSP
Scriptlets and Expressions in JSP
Tag Libraries in JSP
The Request Object in JSP
The Response Object in JSP
The Out Object in JSP
The Session Object in JSP

More Latest News
Most Viewed Articles (in JSP )
What are the different scopes in JSP?
JSP CheckBox Example
The JSP Program running first Time.
Tags using in jsp
Retrieving a Portion of a String
Comparison operators in JSP
Automatically Including Preludes and Codas in JSP
The BodyTag Interface in JSP
Encrypting Passwords in Tomcat using Servlets
JSP Example to connect to MS SQL database and retrieve records
Using UTF-8 in JSP / ASP / HTML pages.
Writing your first JSP page
Getting Started with JSP
The Exception Object in JSP
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: `java.net.BindException: Permission denied <null>:80
Most Emailed Articles (in JSP)
What is JSP?
Declaring variable in JSP
A Servlet That Generates HTML
Retrieving a Portion of a String
JSP Example to connect to MS SQL database using Tomcat Connection Pool
The Application Object in JSP
Cookies using JSP or Java Bean
Click to Activate and Use this control
The JSP Program running first Time.
Scriptlets
Server Side Programming
Syntax For JSP Declaratives
Embedding java codes in jsp sciptlets
Tags using in jsp
JSP pages in servlet