I am using Tomcat 6 and currently have forms authentication working as clear text passwords in a MySql database. I have added encryption to the password to hash the password in SHA-256 and it seems to work but when I try to authenticate via Tomcat 6 using the digest="SHA-256" and digestEncoding="base64" in server.xml, it will not authenticate. If I copy the password from the database and enter it into the password field, I can authenticate my user.
How to I get Tomcat to allow me to authenticate a user with a normal password but a stored hash password in MySql?
Here is the hashing code that I added to my application:
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
byte bin[] = messageDigest.digest(password.getBytes("UTF-8"));
return Base64.encodeBase64String(bin);
The answer to this is pretty simple actually - create a custom Tomcat realm. The realm is the part that does the actual authentication and if you want to test against your database (especially if encrypted or hashed) the realm authentication method is what you have to override.
See http://www.christianschenk.org/blog/setup-your-own-tomcat-security-realm/