-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luca,
On 8/30/2010 2:42 AM, Luca Gervasi wrote: > I'm working to secure this, but...it's not too easy (and i'm surely not > a skilled programmer...). > > But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the "Apache httpd strategy") 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx/wqoACgkQ9CaO5/Lv0PBcrACfUVih9nF6BorLy5KCAQ8Gk2xe k2IAni9IqXoI4TOTN6AN1qToY3ypyiTK =DMfB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
