-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin,
Martin Dubuc wrote: > But it strikes me that Tomcat > is the only application I know where passwords are stored in clear > text. I'll bet that Tomcat is the only application that needs to know its own passwords. Do you have Apache running with SSL? Where do you store the password for the SSL key? I'll bet that you have a password-less key, which is just about the same as a cleartext password lying around. > Why wouldn't we at least store the MD5 hash of the passwords > instead of the password in clear text, or use a scheme similar to the > Unix /etc/passwd file? Because UNIX password files are used to authenticate a user typing their password. In this analogy, Tomcat isn't UNIX, Tomcat is /the user/. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGN2H+9CaO5/Lv0PARAqqrAKDAc7F2rge4Xl0UaND7rhGicN3DYQCdEi4V c9p5LvXt+HudZAMm/98Y3b4= =FqMz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]