How do I use MD5 passwords with a JDBC Realm for Tomcat?
Author: Deron Eriksson
Description: This Tomcat tutorial describes how to configure Tomcat to use a MD5 digest passwords with a JDBC Realm.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 2.0 (Eclipse 3.3.0) || Tomcat 5.5.20
In another tutorial, we saw how we could configure TomcatSW to use a JDBCW Realm with MySQLW. In that tutorial, we stored user passwords in a databaseW table in clear text. Sometimes this is fine, but often passwords are stored as their MD5W digests. This is a one-way hash, meaning that the password can generate the digest, but the digest can't be used to figure out the original password. So, typically what happens is that the password's MD5 digest is stored in a database. Then, when a user types his or her name and password, the password is MD5 digested, and this digest is compared with the digest in the database. If the digests match, the correct password was entered. This is more secure than storing passwords in plain text, but it does have the inconvenience that if the user forgets the original password, the original password can't be retrieved, and the user needs to be assigned a new password.
Modifying the JDBC realm entry from our previous Tomcat JDBC realm tutorial to use MD5 digest passwords is very easy. We just need to add a digest attribute to the Realm element and set its value to "MD5".
JDBC Realm entry from Tomcat's server.xml
... <Realm className="org.apache.catalina.realm.JDBCRealm" digest="MD5" driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost:3306/tomcat_realm" connectionName="realm_access" connectionPassword="realmpass" userTable="tomcat_users" userNameCol="user_name" userCredCol="password" userRoleTable="tomcat_users_roles" roleNameCol="role_name" /> ...
That's all we need to do on Tomcat's side! Now, let's add a user/MD5-digest to our tomcat_users table. So, how exactly do you generate an MD5 digest for a String? I show an example of how to do this in another tutorial. In this other tutorial, I entered the original String "secret", and obtained the hex form of the MD5 digest, which is the following 32-character String: "5ebe2294ecd0e0f08eab7690d2a6ee69".
The word 'secret' and its MD5 digest in hex format:
Let's add a user to our tomcat_users table that we created in the other tutorial. Let's call the user 'curly' with the password 'secret', but since we're going to store the hex representation of 'secret', we'll use the password '5ebe2294ecd0e0f08eab7690d2a6ee69'. Let's also add 'curly' to our tomcat_users_roles table, with the role of 'manager'. I'll create 'insert' statements to do this, shown here in the 'add_curly.sql' script:
USE tomcat_realm; INSERT INTO tomcat_users (user_name, password) VALUES ('curly', '5ebe2294ecd0e0f08eab7690d2a6ee69'); INSERT INTO tomcat_users_roles (user_name, role_name) VALUES ('curly', 'manager'); COMMIT;
After running the script, we can see that 'curly' has been added to the tomcat_users table with the MD5 digest password and has been added to the tomcat_users_roles table with 'manager' as the role.
(Continued on page 2)