Mark, I've heard that argument before, and it has never made sense to me. If an attacker has read access to one box, that box had better not have passwords for all the other servers in plain text files!
Security isn't all-or-nothing. There are levels of security, and you want to get as much security as you reasonably can. Encrypting passwords or hiding them in compiled code certainly raises the bar for someone trying to access something they shouldn't - instead of just reading the password, they'd have to hack the program or break the encryption. Most people don't have the skill to do that. Not all security breaches are caused by genius hackers who know every security hole in every OS. You also have to consider people such as the company insider who searches the network for credit card records he can sell. To put it another way, why do you bother locking the front door of your house? It's completely insecure compared to a bank vault, so why worry about security at all? -- Len On 4/30/07, Mark Thomas <[EMAIL PROTECTED]> wrote:
Kelly J Flowers wrote: > I'm using Tomcat 5.5 to run a web application. I have the connection pools > set up and working in the context.xml but the password is in plain text. > Does anyone know of a way to encrypt the password and username to the > database? This is nearly always pointless. A couple of points to consider: 1. If the password is encrypted, where do you store the decryption key? 2. If an attacker can read the context.xml file they probably have shell access to your box. In this case you have bigger problems. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
