Is there any way for associating unix user "manager" to tomcat's manager rols and have encrypted password?
-----Original Message----- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 2:14 AM To: 'Tomcat Users List'; [EMAIL PROTECTED] Subject: RE: Securing Manager Role This is not supported because there is simply no point. If someone can read the tomcat-users.xml file then they almost certainly own the server and you have bigger problems than someone having access to the manager app. Consider if the password was encrypted, where is the decryption key stored? There is no point putting it in the Tomcat code since it is open source (and even if it wasn't it would still be bad security). You could put it in a separate file, but if an attacker can read tomcat-users.xml, there is no reason to suppose they won't be able to read the file with the key. Mark > -----Original Message----- > From: Nehal Sangoi [mailto:[EMAIL PROTECTED] > Sent: Monday, October 24, 2005 10:05 AM > To: 'Tomcat Users List' > Subject: Securing Manager Role > > > Hi, > > How can i encrypt the manager user's password in > tomcat-users.xml file? I > need to keep manager-deployer thing be secured in my environment. > > Thanks & Regards, > Nehal > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
