Chris [SNIP: Chris Schultz and Greg Dougherty]
> >>> The web app needs a DB password so it can connect to the DB. > >> > >> I disagree that the web app needs a password. > > > > The web app has to be able to read and write to the DB. That takes a > > password. > > I agree with Leo: your application only needs a javax.sql.DataSource. > That can be pre-seeded with a password to make connections. The web > application itself doesn't need to have any authentication information in it, > unless you want to be able to make new connections with different credentials. > > My web applications have nary a username or password to access their > databases, and yet connections to SQL DataSources work perfectly fine. > Multiple dev and test environments, demo, and production. Same code base. > Same revision-control system. No passwords. Sorry, I'm confused. Are you saying that your database does not require password authentication? Or are you saying that while your DB does require password authentication, the applications do not access those passwords because you rely on a data source that provides the password to the DB? Is the data source is an intermediary that does the authentication? I'm still struggling conceptually with the "security requirement" of having encrypted passwords, as opposed to clear-text passwords, stored in config files on the tomcat server. "It's turtles (passwords) all the way down!" Or is that a different issue? [SNIP AGAIN] -- Cris Berneburg, Lead Software Engineer, CACI --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
