On 29/10/2010 10:19, 彬 乔 wrote: > Dears, > > We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it > is a financial system. An internal audit indicated that we should not use > plain text username and password in the server.xml, as: > > <Resource name="jdbc/JiraDS" auth="Container" type="javax.sql.DataSource" > username="user" > password="password" > ... > /> > > Is there a way to use encrypted username and password in the server.xml file? > Or, use the username and password as parameters of the startup command, > instead of leaving them as plain text in the server.xml?
Just set the permissions of the file to be read-only for the user that runs Tomcat, and restrict access to that user. chmod 600 server.xml If the user (say 'tomcat') doesn't have a login shell, then only root will be able read that file. Encrypting passwords in server.xml is largely a waste of time. p
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
