Hi kevin, Thnaks a lot for your answer, but there is no user input. The password is for database access porpuses and is stored in context.xml file...
It seems to me there is no solution at all for this issue, unless beleive server access are safe... Thank you! Marcus -----Mensagem original----- De: Kevin Williams [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 13 de maio de 2008 14:36 Para: Tomcat Users List Assunto: Re: Once again, clear text passwords in context.xml files How about hashing the passwords with a known forumla and storing them in this intermediate format. App would need to hash the user input and compare. This might give ur security czars a warmer feeling and get them off ur back. -Kevin On 5/13/08, Milanez, Marcus <[EMAIL PROTECTED]> wrote: > Filip thanks for your reply, > > >> 1. make sure tomcat runs as an account that can't login > Right, that is done > > >> 2. make any file that contains secure information readonly, and > >> readable > only by the tomcat user > Done too > > > >> if someone gets onto your machine as an super user, you have bigger > problem than the password being in clear text > > That is the answer everyone gives in tomcat forums all over the > internet, so it seems to me that no possible solution is available. On > the other hand, is it right to stay behind a possible security fault > (malicious super user performing login) in order to say I'll not > correct known security issues in my application? The thing is I'm not > responsible for the servers but the ones who are, keep arguing that > this is a crictical security problem. Are they seeing a big problem in a > small one? > > Thanks a lot! > > Marcus > > > > > -----Mensagem original----- > De: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Enviada em: > terça-feira, 13 de maio de 2008 12:37 > Para: Tomcat Users List > Assunto: Re: Once again, clear text passwords in context.xml files > > it's a wasted effort, the one way it could be truly secure, was if > tomcat asked you for a key upon startup. this wouldn't work very well > in a 1000 tomcat instance server farm. > > any other effort simply masks the problem, letting you think it is > secure, when it isn't. > > what you should do is this > 1. make sure tomcat runs as an account that can't login 2. make any > file that contains secure information readonly, and readable only by > the tomcat user > > if someone gets onto your machine as an super user, you have bigger > problem than the password being in clear text > > Filip > > Milanez, Marcus wrote: > > Hello everyove, > > > > We were asked to eliminate clear text passwords associated to > > database pooled connections in context.xml files... I know it has > > been discussed a lot, but I would like to ask once again whether > > someone has a simple, clean solution for that. We are using Windows > > server and MS > SQL 2005. > > One of the options I came across is to use Windows Integratd > > authentication instead of database users. Is there any other ideas > > to overcome this situation? > > > > Thanks a lot, > > > > Marcus Milanez > > > > -------------------------------------------------------------------- > > - To start a new topic, e-mail: users@tomcat.apache.org To > > unsubscribe, > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- -Kevin --------- If you forward this e-mail to someone else, please remove my e-mail address to help me prevent spam. Thanks! --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
