Chris, On 2/12/16, 7:35 PM, "Leo Donahue" <donahu...@gmail.com> wrote:
>On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. < >dougherty.greg...@mayo.edu> wrote: > >> Chris, >> >> >> On 2/12/16, 5:27 PM, "Christopher Schultz" >><ch...@christopherschultz.net> >> wrote: >> >> >Gregory, >> > >> >On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote: >> >> On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote: >> >> >> >> >> >>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < >> >>> dougherty.greg...@mayo.edu> wrote: >> >> My definition of ³secure² includes ³there exist no files with an >> >> unencrypted copy of the password². >> > >> >Do you mean "no files at all" or "no files in revision-control"? >> >Again, you have to decide whether you trust your administrators. >> >> No files at all. >> > >Not even encrypted files? Who is encrypting the file? Where is the code key for the encryption stored? How does my app get access to the encryption key? Who is creating the encrypted file? >You need to write something that generates long passwords, because you >don't need to remember them, and writes them to the encrypted file. All >you need to do is regenerate them whenever you want. If you are saying >that you need to choose your own password because it is used elsewhere, >then you are stuck again. 1: I need to be able to use the password elsewhere 2: The process for changing the password to connect to the DB is not automated. So I can’t have some automated task changing it every day. >>>Why would you check the data source configuration into the >> >revision-control system? It's not necessary to do that. Do you check >> >Tomcat's server.xml into revision control? >> >> Are you going to have your data source configuration sitting on only one >> user’s personal computer? What happens when that person is on vacation? >> Sick? Has a hard drive crash? >> > >I don't understand why that would be the case that you store this data >source configuration on anyone's personal computer. Are you saying that >Mayo Clinic IT lets developers run production apps from Tomcats on their >personal computers? No, I’m saying that a file on the server is out of my reach, out of my control, and therefore out of my consideration. Greg
