On 27/08/2010 14:02, Wesley Acheson wrote: > I've been giving this whole issue a lot of thought. And not just now > for months now. I was wondering if the following was possible in > theory, When tomcat is started up it prompts for the password? > Wouldn't that help with the whole smoke and mirrors situation?
Not really. Nothing stops an attacker replacing a standard Tomcat jar with a modified one that just spits the password straight back out on the next restart. And if the attacker can trigger a heap dump or read the process memory some other way they don't even need that. You still end up relying on operating system security which in the end is no different to just setting the permissions on the server.xml Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
