The CredentialHandler Component
Table of Contents
Introduction
The CredentialHandler element represents the component used by a Realm to compare a provided credential such as a password with the version of the credential stored by the Realm. The CredentialHandler can also be used to generate a new stored version of a given credential that would be required, for example, when adding a new user to a Realm or when changing a user's password.
A CredentialHadler element MUST be nested inside a Realm component. If it is not included, a default CredentialHadler will be created using the MessageDigestCredentialHandler.
Attributes
Common Attributes
All implementations of CredentialHandler support the following attributes:
| Attribute | Description |
|---|---|
className |
Java class name of the implementation to use. This class must
implement the |
Unlike most Catalina components, there are several standard
CredentialHandler implementations available. As a result,
if a CredentialHandler element is present then the
className attribute MUST be used to select the implementation
you wish to use.
MessageDigestCredentialHandler
The MessageDigestCredentialHandler is used when stored passwords are protected by a message digest. This credential handler supports the following forms of stored passwords:
- plainText - the plain text credentials if no algorithm is specified
- encodedCredential - a hex encoded digest of the password digested using the configured digest
- {MD5}encodedCredential - a Base64 encoded MD5 digest of the password
- {SHA}encodedCredential - a Base64 encoded SHA1 digest of the password
- {SSHA}encodedCredential - 20 character salt followed by the salted SHA1 digest Base64 encoded
- salt$iterationCount$encodedCredential - a hex encoded salt, iteration code and a hex encoded credential, each separated by $
If the stored password form does not include an iteration count then an iteration count of 1 is used.
If the stored password form does not include salt then no salt is used.
| Attribute | Description |
|---|---|
algorithm |
The name of the |
encoding |
Digesting the password requires that it is converted to bytes. This attribute determines the character encoding to use for conversions between characters and bytes. If not specified, UTF-8 will be used. |
iterations |
The number of iterations to use when creating a new stored credential from a clear text credential. |
saltLength |
The length of the randomly generated salt to use use when creating a new stored credential from a clear text credential. |
NestedCredentialHandler
The NestedCredentialHandler is an implementation of CredentialHandler that delegates to one or more sub-CredentialHandlers.
Using the NestedCredentialHandler gives the developer the ability to combine multiple CredentialHandlers of the same or different types.
Sub-CredentialHandlers are defined by nesting CredentialHandler elements
inside the CredentialHandler element that defines the
NestedCredentialHandler. Credentials will be matched against each
CredentialHandler in the order they are listed. A match against
any CredentialHandler will be sufficient for the credentials to be
considered matched.
SecretKeyCredentialHandler
The SecretKeyCredentialHandler is used when stored
passwords are built using javax.crypto.SecretKeyFactory. This
credential handler supports the following forms of stored passwords:
- salt$iterationCount$encodedCredential - a hex encoded salt, iteration code and a hex encoded credential, each separated by $
If the stored password form does not include an iteration count then an iteration count of 1 is used.
If the stored password form does not include salt then no salt is used.
| Attribute | Description |
|---|---|
algorithm |
The name of the secret key algorithm used to encode user passwords
stored in the database. If not specified, a default of
|
keyLength |
The length of key to generate for the stored credential. If not
specified, a default of |
iterations |
The number of iterations to use when creating a new stored credential from a clear text credential. |
saltLength |
The length of the randomly generated salt to use use when creating a new stored credential from a clear text credential. |
Nested Components
If you are using the NestedCredentialHandler Implementation or a CredentialHandler that extends the NestedCredentialHandler one or more <CredentialHandler> elements may be nested inside it.
Special Features
No special features are associated with a CredentialHandler element.

