If you have a webapp where users log in you can use there login/password to
login on the database. A little bit inconvenient for the DBA but you don't have
passwords on your servers.
Ronald.
Op vrijdag, 29 oktober 2010 15:42 schreef Rainer Frey <rainer.f...@inxmail.de>:
On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
> If Tomcat has access to a database and the attacker has access to a
> shell prompt (or similar) with the same privileges as Tomcat then the
> attacker has access to the database and there is absolutely nothing you
> can do to prevent that.
In theory, there is a way Tomcat could implement. You could interactively ask
for all needed passwords when starting Tomcat and keep them only in memory.
httpd does that by default for encrypted SSL primary keys. But in practice the
userbase that would accept the inconvenience and the impossibility to
automatically start tomcat would be too small to spend time for that. And the
practical security gain is small.
> Mark
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
