I want to tap into Tomcat's authentication features by declaring a JDBCRealm. However, I cannot use the standard MD5 digest to encrypt the user's password. What I need is the ability to intercept the user name and password entered by the user and pass that to a custom class that will yield the encrypted password (we use the Jasypt encryption framework with some custom key generation stuff...so it's not going to work out of the box with a standard JDBCRealm implementation).
So, my question is, do I extend the JDBCRealm class or what? Can someone point me in the right direction?
Yes, extending JDBCRealm is the way to go. It in turn inherits setDigest and setDigestEncoding methods from RealmBase that you can use to plug in whatever digest implementation you prefer.
A while ago I wrote an article that talked about setting up Tomcat for using a custom realm; see the end of this article. It extends UserDatabaseRealm, but the overall approach is the same. [ June 24, 2008: Message edited by: Ulf Dittmer ]
Originally posted by Ulf Dittmer: [QB]Yes, extending JDBCRealm is the way to go. It in turn inherits setDigest and setDigestEncoding methods from RealmBase that you can use to plug in whatever digest implementation you prefer.
Thanks for pointing that out. I'm still trying to understand the Realm framework, and the sequence in which the framework methods are invoked by the Container. Are you able to clarify this for me?
For example, what order are the authenticate(), setDigest(), setDigestEncoding(), and getPassword() methods invoked? I'm not really sure which of these I need to override.
Basically all I need to do is to intercept the cleartext password and pass it to my password encryption class. It has a checkPassword() method that will take the cleartext, and then encrypt it, and compare it to the encrypted version stored in the database.
So, I don't need my custom JDBCRealm to do any encryption, it will just delegate authentication to existing code.
In my server.xml file, I'd like to specify a custom MD5 digest name that my JDBCRealm class will check for before passing it off to my authentication class.
I hope that made sense!
Joined: Mar 22, 2005
I'm not sure about the sequence of invocations, either. But the source to both classes is well documented, and you can always resort to putting some logging statements into them to find out what's being called when.
As to parameters in server.xml being passed - I'm not sure how that happens. JDBCRealm has getters and setters for the connection parameters, which makes it look to me as if Tomcat would look for setters based on the name of whatever parameters it finds. You can try an "algorithm" parameter, and add getAlgorithm/setAlgorithm methods to the class extending JDBCRealm.