tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Micael Padraig Og mac Grene" <caraun...@harbornet.com>
Subject Re: Form authentication/ password changing
Date Fri, 02 Nov 2001 01:02:06 GMT
Are you experiencing the same thing?
-----Original Message-----
From: Timothy Fisher <trfishermi@yahoo.com>
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Date: Thursday, November 01, 2001 12:47 PM
Subject: Re: Form authentication/ password changing


>Craig,
>
>I agree with all of your comments.  From the tomcat
>access perspective, your correct, flat file vs. DB
>storage of users/passwords may be roughly equivalent
>in terms of how secure that is.
>
>But, if you ignore tomcat, and just consider the
>usernames and passwords sitting out there, I would
>argue that they are more vulnerable sitting in a flat
>file than in a database.  But I"m sure this could be
>debated on an on...
>
>Tim
>
>--- "Craig R. McClanahan" <craigmcc@apache.org> wrote:
>> 
>> 
>> On Thu, 1 Nov 2001, Timothy Fisher wrote:
>> 
>> > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST)
>> > From: Timothy Fisher <trfishermi@yahoo.com>
>> > Reply-To: Tomcat Users List
>> <tomcat-user@jakarta.apache.org>
>> > To: Tomcat Users List
>> <tomcat-user@jakarta.apache.org>
>> > Subject: Re: Form authentication/ password
>> changing
>> >
>> > There is a sample tomcat-users.xml included with
>> > tomcat 4.0 in the conf directory.  Just follow
>> this
>> > format.  Yes, the file must be in this format,
>> unless
>> > you write your own connector.
>> >
>> 
>> Yep.
>> 
>> > The server containing the tomcat-users file
>> definitely
>> > must be protected.  Yes, this is less secure than
>> > storing the users/passwords in a
>> directory/database.
>> >
>> 
>> It's hard to talk about "more secure" or "less
>> secure" unless we define
>> how you measure this :-).  However, I would suggest
>> that this is not
>> necessarily true.
>> 
>> First, under all circumstances, you should run
>> Tomcat under a username
>> other than root.  That username must (obviously)
>> have read access to the
>> files in the "conf" directory.  But, *no* other
>> users on the server should
>> be able to read those files.  This allows you to
>> leverage your operating
>> system's standard protection for files.
>> 
>> Second, let's assume that we put the users in a
>> database instead, and
>> configure JDBCRealm to have Tomcat talk to it.  If
>> you examine the
>> configuration parameters you have to set up in
>> "conf/server.xml", you will
>> note that you have to specify the database username
>> and password -- so you
>> are *still* depending on limiting access to the
>> configuration files, even
>> if you take this approach.  That doesn't sound "more
>> secure" to me.
>> 
>> (An approach that would qualify as "more secure"
>> would be to challenge the
>> system administrator for a password when Tomcat is
>> started up.  Some
>> progress towards building such stuff has taken place
>> with regards to the
>> "keystore" files used for SSL certificates, but not
>> yet for database
>> passwords.  And, you have to balance the security
>> with the extra hassle
>> that you cannot script a startup of Tomcat without
>> having someone around
>> to answer the password prompt.)
>> 
>> > Tim
>> >
>> 
>> Craig
>> 
>> 
>> --
>> To unsubscribe:  
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands:
>> <mailto:tomcat-user-help@jakarta.apache.org>
>> Troubles with the list:
>> <mailto:tomcat-user-owner@jakarta.apache.org>
>> 
>
>
>__________________________________________________
>Do You Yahoo!?
>Make a great connection at Yahoo! Personals.
>http://personals.yahoo.com
>
>--
>To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
>Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message