tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "FAQ/Password" by markt
Date Fri, 05 Nov 2010 16:58:10 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "FAQ/Password" page has been changed by markt.


   * Use properties replacement so that in the xml config you have ${db.password} and in conf/
you put the password there. You are not safer, but the auditors may be happy.
   * Since server.xml uses utf-8 encoding - you can use xml entities. For example: "woot"
becomes "&amp;#119;&amp;#111;&amp;#111;&amp;#116;" which is a way to obscure
the password
   * Write your own datasource implementation which wraps your datasource and obscure your
brains out. See the docs on how to do this.
+  * (Tomcat 7) Write your own org.apache.tomcat.util.!IntrospectionUtils.!PropertySource
implementation to 'decrypt' passwords that are 'encrypted' in and referenced
via ${...} in server.xml. You'll need to set the system property org.apache.tomcat.util.digester.PROPERTY_SOURCE
to point to your !PropertySource implmentation. This won't provide any real security, it just
adds another level of indirection - i.e. 'security by obscurity'.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message