How about hashing the passwords with a known forumla and storing them in this intermediate format. App would need to hash the user input and compare. This might give ur security czars a warmer feeling and get them off ur back.
-Kevin On 5/13/08, Milanez, Marcus <[EMAIL PROTECTED]> wrote: > Filip thanks for your reply, > > >> 1. make sure tomcat runs as an account that can't login > Right, that is done > > >> 2. make any file that contains secure information readonly, and readable > only by the tomcat user > Done too > > > >> if someone gets onto your machine as an super user, you have bigger > problem than the password being in clear text > > That is the answer everyone gives in tomcat forums all over the internet, so > it seems to me that no possible solution is available. On the other hand, is > it right to stay behind a possible security fault (malicious super user > performing login) in order to say I'll not correct known security issues in > my application? The thing is I'm not responsible for the servers but the > ones who are, keep arguing that this is a crictical security problem. Are > they seeing a big problem in a small one? > > Thanks a lot! > > Marcus > > > > > -----Mensagem original----- > De: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] > Enviada em: terça-feira, 13 de maio de 2008 12:37 > Para: Tomcat Users List > Assunto: Re: Once again, clear text passwords in context.xml files > > it's a wasted effort, the one way it could be truly secure, was if tomcat > asked you for a key upon startup. this wouldn't work very well in a 1000 > tomcat instance server farm. > > any other effort simply masks the problem, letting you think it is secure, > when it isn't. > > what you should do is this > 1. make sure tomcat runs as an account that can't login 2. make any file > that contains secure information readonly, and readable only by the tomcat > user > > if someone gets onto your machine as an super user, you have bigger problem > than the password being in clear text > > Filip > > Milanez, Marcus wrote: > > Hello everyove, > > > > We were asked to eliminate clear text passwords associated to database > > pooled connections in context.xml files... I know it has been > > discussed a lot, but I would like to ask once again whether someone > > has a simple, clean solution for that. We are using Windows server and MS > SQL 2005. > > One of the options I came across is to use Windows Integratd > > authentication instead of database users. Is there any other ideas to > > overcome this situation? > > > > Thanks a lot, > > > > Marcus Milanez > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- -Kevin --------- If you forward this e-mail to someone else, please remove my e-mail address to help me prevent spam. Thanks! --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
