Why wouldn't we at least store the MD5 hash of the passwords
instead of the password in clear text, or use a scheme similar to the
Unix /etc/passwd file?
You've not thought this through. Tomcat needs to decrypt or somehow
have the credentials in cleartext so it can pass them to the database
to establish a connection (MD5 is one way). If it were possible to
create the connection with an encrypted password, it would be just as
sensitive as the unencrypted version.
Also, The encryption doesn't have to be full proof, it just needs
to be a deterrent. For the most part it is the people with shell
access that I want to remove the ability to read the passwords
from. Sometimes security through obscurity is enough.
How would this work? Something like
<Resource name="jdbc/db" auth="Container" type="javax.sql.DataSource"
driverClassName="com.mysql.jdbc.Driver"
username="user" obfuscated="true" password="sh7dhkaDaS"
url="jdbc:mysql://localhost:3306/appraisal?
autoReconnect=true" />
If so, how do you propose to generate the obfuscated password? Maybe
a utility app that ships with the tomcat distribution? If so a de-
obfuscater would appear somewhere on the internet in a very short
space of time.
Don't get me wrong, I'd like to see something done which could
improve on the current cleartext situation, but I can't think of a
sensible solution that would warrant a developers time.
Darren
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
