-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

Martin Dubuc wrote:
> But it strikes me that Tomcat
> is the only application I know where passwords are stored in clear
> text.

I'll bet that Tomcat is the only application that needs to know its own
passwords. Do you have Apache running with SSL? Where do you store the
password for the SSL key? I'll bet that you have a password-less key,
which is just about the same as a cleartext password lying around.

> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

Because UNIX password files are used to authenticate a user typing their
password. In this analogy, Tomcat isn't UNIX, Tomcat is /the user/.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGN2H+9CaO5/Lv0PARAqqrAKDAc7F2rge4Xl0UaND7rhGicN3DYQCdEi4V
c9p5LvXt+HudZAMm/98Y3b4=
=FqMz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to