tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "FAQ/Password" by TimFunk
Date Fri, 05 Nov 2010 12:22:12 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "FAQ/Password" page has been changed by TimFunk.


New page:
= Passwords =

== Why are plain text passwords in the config files? ==
Because there isn't a a good way to "secure" them. When Tomcat needs to connect to a database,
it needs the original password. While the password could be encoded, there still needs to
be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker
would know the decoding method. So at best, the password is obscured - but not really protected.
Please see the user and dev list archives for flames wars about this topic.

Of course, auditors do not like this answer. So there are some ways to get around this ...
 * Use properties replacement so that in the xml config you have ${db.password} and in conf/
you put the password there. You are not safer, but the auditors may be happy.
 * Since server.xml uses utf-8 encoding - you can use xml entities. For example: "woot" becomes
"&amp;#119;&amp;#111;&amp;#111;&amp;#116;" which is a way to obscure the password
 * Write your own datasource implementation which wraps your datasource and obscure your brains
out. See the docs on how to do this.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message