Mark, I also don't feel quite at ease to see passwords in clear text in the server.xml file. True, if the protection on that file is set up properly, there shouldn't be much issue. But it strikes me that Tomcat is the only application I know where passwords are stored in clear text. Why wouldn't we at least store the MD5 hash of the passwords instead of the password in clear text, or use a scheme similar to the Unix /etc/passwd file? I do agree with Richard that there is more to it than protecting from hackers. Enforcing the responsabilities between different roles is also very important.
Martin On 5/1/07, Richard DeGrande <[EMAIL PROTECTED]> wrote:
Mark, The ability to store encrypted passwords doesn't necessarily have to be used to protect the system from hackers. This would be a GREAT feature to enforce the responsibilities between different roles in a development environment. Also, The encryption doesn't have to be full proof, it just needs to be a deterrent. For the most part it is the people with shell access that I want to remove the ability to read the passwords from. Sometimes security through obscurity is enough. >>> Mark Thomas <[EMAIL PROTECTED]> 4/30/2007 5:30 PM >>> Kelly J Flowers wrote: > I'm using Tomcat 5.5 to run a web application. I have the connection pools > set up and working in the context.xml but the password is in plain text. > Does anyone know of a way to encrypt the password and username to the > database? This is nearly always pointless. A couple of points to consider: 1. If the password is encrypted, where do you store the decryption key? 2. If an attacker can read the context.xml file they probably have shell access to your box. In this case you have bigger problems. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
