-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
> I am not sure I buy your argument that because there is somewhere
> else in an implementation that is as insecure as cleartext password,
> then there is no point in fixing the cleartext password issue. With
> this argumen
Martin,
All encryption systems need a way to boot themselves. This either means
you store the password somewhere so the program can self-boot itself, or
you need user intervention, such as typing in the password (or inserting
a dongle or other security hardware device).
Once the system has
Chris,
I am not sure I buy your argument that because there is somewhere else
in an implementation that is as insecure as cleartext password, then
there is no point in fixing the cleartext password issue. With this
argument, we would never care about fixing any security holes, because
one can alw
Just to add to this discussion ...
First, let me say I don't think encrypting the password would in any way
add significantly to tomcat's security or the security of the database.
What I'm offering is just a possibility from a purely academic
standpoint. Two solutions that can be taken separ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
> But it strikes me that Tomcat
> is the only application I know where passwords are stored in clear
> text.
I'll bet that Tomcat is the only application that needs to know its own
passwords. Do you have Apache running wit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Richard,
Richard DeGrande wrote:
> The ability to store encrypted passwords doesn't necessarily have to
> be used to protect the system from hackers. This would be a GREAT
> feature to enforce the responsibilities between different roles in a
> devel
ed in JNDI datasource .
Not an easy solution but can be achieved :)
Regards
Guru
-Original Message-
From: Darren [mailto:[EMAIL PROTECTED]
Sent: 01 May 2007 16:10
To: Tomcat Users List
Subject: Re: Encrypting passwords in the connection pool setup
> Why wouldn't
Why wouldn't we at least store the MD5 hash of the passwords
instead of the password in clear text, or use a scheme similar to the
Unix /etc/passwd file?
You've not thought this through. Tomcat needs to decrypt or somehow
have the credentials in cleartext so it can pass them to the database
Mark, I've heard that argument before, and it has never made sense to
me. If an attacker has read access to one box, that box had better not
have passwords for all the other servers in plain text files!
Security isn't all-or-nothing. There are levels of security, and you
want to get as much secur
Mark,
I also don't feel quite at ease to see passwords in clear text in the
server.xml file. True, if the protection on that file is set up
properly, there shouldn't be much issue. But it strikes me that Tomcat
is the only application I know where passwords are stored in clear
text. Why wouldn't
Mark,
The ability to store encrypted passwords doesn't necessarily have to be used to
protect the system from hackers. This would be a GREAT feature to enforce the
responsibilities between different roles in a development environment. Also,
The encryption doesn't have to be full proof, it ju
I commented on this in the following article - http://www.owasp.org/
index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.
2Fserver.xml
In short, no.
There was also some further discussion on one of the OWASP list
recently - https://lists.owasp.org/pipermail/java-project/200
Kelly J Flowers wrote:
> I'm using Tomcat 5.5 to run a web application. I have the connection pools
> set up and working in the context.xml but the password is in plain text.
> Does anyone know of a way to encrypt the password and username to the
> database?
This is nearly always pointless. A cou
I'm using Tomcat 5.5 to run a web application. I have the connection pools
set up and working in the context.xml but the password is in plain text.
Does anyone know of a way to encrypt the password and username to the
database?
14 matches
Mail list logo
