tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Fisher <trfishe...@yahoo.com>
Subject Re: Form authentication/ password changing
Date Thu, 01 Nov 2001 20:49:32 GMT
Craig,

I agree with all of your comments.  From the tomcat
access perspective, your correct, flat file vs. DB
storage of users/passwords may be roughly equivalent
in terms of how secure that is.

But, if you ignore tomcat, and just consider the
usernames and passwords sitting out there, I would
argue that they are more vulnerable sitting in a flat
file than in a database.  But I"m sure this could be
debated on an on...

Tim

--- "Craig R. McClanahan" <craigmcc@apache.org> wrote:
> 
> 
> On Thu, 1 Nov 2001, Timothy Fisher wrote:
> 
> > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST)
> > From: Timothy Fisher <trfishermi@yahoo.com>
> > Reply-To: Tomcat Users List
> <tomcat-user@jakarta.apache.org>
> > To: Tomcat Users List
> <tomcat-user@jakarta.apache.org>
> > Subject: Re: Form authentication/ password
> changing
> >
> > There is a sample tomcat-users.xml included with
> > tomcat 4.0 in the conf directory.  Just follow
> this
> > format.  Yes, the file must be in this format,
> unless
> > you write your own connector.
> >
> 
> Yep.
> 
> > The server containing the tomcat-users file
> definitely
> > must be protected.  Yes, this is less secure than
> > storing the users/passwords in a
> directory/database.
> >
> 
> It's hard to talk about "more secure" or "less
> secure" unless we define
> how you measure this :-).  However, I would suggest
> that this is not
> necessarily true.
> 
> First, under all circumstances, you should run
> Tomcat under a username
> other than root.  That username must (obviously)
> have read access to the
> files in the "conf" directory.  But, *no* other
> users on the server should
> be able to read those files.  This allows you to
> leverage your operating
> system's standard protection for files.
> 
> Second, let's assume that we put the users in a
> database instead, and
> configure JDBCRealm to have Tomcat talk to it.  If
> you examine the
> configuration parameters you have to set up in
> "conf/server.xml", you will
> note that you have to specify the database username
> and password -- so you
> are *still* depending on limiting access to the
> configuration files, even
> if you take this approach.  That doesn't sound "more
> secure" to me.
> 
> (An approach that would qualify as "more secure"
> would be to challenge the
> system administrator for a password when Tomcat is
> started up.  Some
> progress towards building such stuff has taken place
> with regards to the
> "keystore" files used for SSL certificates, but not
> yet for database
> passwords.  And, you have to balance the security
> with the extra hassle
> that you cannot script a startup of Tomcat without
> having someone around
> to answer the password prompt.)
> 
> > Tim
> >
> 
> Craig
> 
> 
> --
> To unsubscribe:  
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands:
> <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list:
> <mailto:tomcat-user-owner@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message