Jetty Logo
Contact the core Jetty developers at www.webtide.com

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery

DRAFT

This page contains content that we have migrated from Jetty 7 or Jetty 8 documentation into the correct format, but we have not yet audited it for technical accuracy in with Jetty 9. Be aware that examples or information contained on this page may be incorrect. Please check back soon as we continue improving the documentation, or submit corrections yourself to this page through Github. Thank you.

Secure Password Obfuscation

There are many places where you might want to use and store a password, for example for the SSL connectors and user passwords in realms.

Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security. The choice of method to secure a password depends on where you are using the password. In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.

When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.

The class org.eclipse.jetty.http.security.Password can be used to generate all varieties of passwords.

Run it without arguments to see usage instructions:


$ export JETTY_VERSION=9.0.0-SNAPSHOT
$ java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password

Usage - java org.eclipse.jetty.util.security.Password [<user>] <password>
If the password is ?, the user will be prompted for the password

    

For example, to generate a secured version of the password "blah" for the user "me", do:


$ export JETTY_VERSION=9.0.0.RC0
$ java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah
blah
OBF:20771x1b206z
MD5:639bae9ac6b3e1a84cebb7b403297b79
CRYPT:me/ks90E221EY

    

You can now cut and paste whichever secure version you choose into your configuration file or java code.

For example, the last line below shows how you would cut and paste the encrypted password generated above into the properties file for a LoginService:


admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
other: OBF:1xmk1w261u9r1w1c1xmq
guest: guest,read-only
me:CRYPT:me/ks90E221EY

    

Tip

Don't forget to also copy the OBF:, MD5: or CRYPT: prefix on the generated password. It will not be usable by Jetty without it.

See an error or something missing? Contribute to this documentation at Github!