On 29/10/2010 14:18, Darryl Lewis wrote: > Encrypt the username and passwords using Realm configuration.
Realms have nothing to do with the usernames and passwords used to connect to databases defined via <Resource> tags. > You should always assume there is the possibility that a user will get > access to the system via a badly written program. Whilst they might get some > system access, you should make it as difficult as possible for them to jump > to the next box. If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. > If you give read access on server.xml only to root user, No-one is suggesting that. Go read what Pid wrote again. > Tomcat is started with root privileges, which is really bad. Agreed. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
