Writing a custom tomcat realm using bcrypt

Question

I'm working on a Java-based web app using Tomcat 7.0 as the application server. After the helpful responses to a prior question, I've decided to use bcrypt to securely store passwords in my HSQLDB. However Tomcat's default Realm implementations can't handle bcrypt, so I need to write my own; that's the only reason I'm writing a custom realm though as in all other ways plain JDBCRealm would work. I've been googling and looking at examples and I'm rather confused on a couple of points.

First, should I extend RealmBase, or JDBCRealm? Most examples I found use RealmBase, but I've successfully been using JDBCRealm for the app up to this point (as it's still in development I started off with storing the passwords in plaintext and just using JDBCRealm to handle authentication), and one answer to a question on Code Ranch recommended just extending that. I'm not exactly sure which methods I'd need to override in that case, though. Just the authenticate method, or something more? If did this would JDBCRealm still be able to handle and manage user roles, getPrincipal, and all that?

Second, in the CodeRanch example linked above, unless I'm missing something, the getPassword method seems to be returning the unencrypted password. Since I'm going to be using bcrypt that won't be possible, and it seems kind of inadvisable anyway, I would think. In other examples like on this blog post, getPassword seems to just return the password directly from the database. So which way is correct? I can't find what exactly getPassword is used for; the documentation doesn't say. Will it be ok to just return the encrypted value stored in the database for this?

If anybody can tell me what class I should extend, what methods I should override, and what getPassword should return, I would really appreciate it.

Answer 1

Well after some trial and error I figured out how to do this. I extended JDBCRealm and only overrode the authenticate method and it works perfectly. I put BCrypt.java in the same directory as my custom realm, and this code is what worked:

import java.security.Principal;
import org.apache.catalina.realm.JDBCRealm;
public class BCryptRealm extends JDBCRealm
{
  @Override
  public Principal authenticate(String username, String credentials)
  {
    String hashedPassword = getPassword(username);
    // Added this check after discovering checkpw generates a null pointer
    // error if the hashedPassword is null, which happens when the user doesn't
    // exist. I'm assuming returning null immediately would be bad practice as
    // it would let an attacker know which users do and don't exist, so I added
    // a call to hashpw. No idea if that completely solves the problem, so if
    // your application has more stringent security needs this should be
    // investigated further.
    if (hashedPassword == null)
    {
      BCrypt.hashpw("fakePassword", BCrypt.gensalt());
      return null;
    }
    if (BCrypt.checkpw(credentials, hashedPassword))
    {
      return getPrincipal(username);
    }
    return null;
  }
}