On 20/11/2013 16:23, James H. H. Lampert wrote: > 2013/11/20 <williamissey...@tsys.com>: >>> Is there any way to not have the password visible in the realm for >>> example for active directory realm? > . . . > On 11/20/13 12:36 AM, Konstantin Kolinko wrote: >> https://wiki.apache.org/tomcat/FAQ/Password > > Harrumph. It occurs to me that if Tomcat stored passwords the way OS/400 > does (i.e., as a one-way hash), it would solve a multitude of problems.
I suggest you read the original post again more carefully. These are not user passwords that Tomcat needs to validate (Tomcat has supported hashes for that for as long as I remember). This is a password Tomcat needs to use to connect to an external service. As the FAQ makes clear, storing these passwords in plain text is no less secure than any of the various "encryption" solutions that folks periodically propose. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
