tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Form authentication/ password changing
Date Thu, 01 Nov 2001 20:34:33 GMT


On Thu, 1 Nov 2001, Timothy Fisher wrote:

> Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST)
> From: Timothy Fisher <trfishermi@yahoo.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: Form authentication/ password changing
>
> There is a sample tomcat-users.xml included with
> tomcat 4.0 in the conf directory.  Just follow this
> format.  Yes, the file must be in this format, unless
> you write your own connector.
>

Yep.

> The server containing the tomcat-users file definitely
> must be protected.  Yes, this is less secure than
> storing the users/passwords in a directory/database.
>

It's hard to talk about "more secure" or "less secure" unless we define
how you measure this :-).  However, I would suggest that this is not
necessarily true.

First, under all circumstances, you should run Tomcat under a username
other than root.  That username must (obviously) have read access to the
files in the "conf" directory.  But, *no* other users on the server should
be able to read those files.  This allows you to leverage your operating
system's standard protection for files.

Second, let's assume that we put the users in a database instead, and
configure JDBCRealm to have Tomcat talk to it.  If you examine the
configuration parameters you have to set up in "conf/server.xml", you will
note that you have to specify the database username and password -- so you
are *still* depending on limiting access to the configuration files, even
if you take this approach.  That doesn't sound "more secure" to me.

(An approach that would qualify as "more secure" would be to challenge the
system administrator for a password when Tomcat is started up.  Some
progress towards building such stuff has taken place with regards to the
"keystore" files used for SSL certificates, but not yet for database
passwords.  And, you have to balance the security with the extra hassle
that you cannot script a startup of Tomcat without having someone around
to answer the password prompt.)

> Tim
>

Craig


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message