tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Fisher <trfishe...@yahoo.com>
Subject Re: Form authentication/ password changing
Date Fri, 02 Nov 2001 15:47:35 GMT
Experiencing what???


--- Micael Padraig Og mac Grene
<caraunltd@harbornet.com> wrote:
> Are you experiencing the same thing?
> -----Original Message-----
> From: Timothy Fisher <trfishermi@yahoo.com>
> To: Tomcat Users List
> <tomcat-user@jakarta.apache.org>
> Date: Thursday, November 01, 2001 12:47 PM
> Subject: Re: Form authentication/ password changing
> 
> 
> >Craig,
> >
> >I agree with all of your comments.  From the tomcat
> >access perspective, your correct, flat file vs. DB
> >storage of users/passwords may be roughly
> equivalent
> >in terms of how secure that is.
> >
> >But, if you ignore tomcat, and just consider the
> >usernames and passwords sitting out there, I would
> >argue that they are more vulnerable sitting in a
> flat
> >file than in a database.  But I"m sure this could
> be
> >debated on an on...
> >
> >Tim
> >
> >--- "Craig R. McClanahan" <craigmcc@apache.org>
> wrote:
> >> 
> >> 
> >> On Thu, 1 Nov 2001, Timothy Fisher wrote:
> >> 
> >> > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST)
> >> > From: Timothy Fisher <trfishermi@yahoo.com>
> >> > Reply-To: Tomcat Users List
> >> <tomcat-user@jakarta.apache.org>
> >> > To: Tomcat Users List
> >> <tomcat-user@jakarta.apache.org>
> >> > Subject: Re: Form authentication/ password
> >> changing
> >> >
> >> > There is a sample tomcat-users.xml included
> with
> >> > tomcat 4.0 in the conf directory.  Just follow
> >> this
> >> > format.  Yes, the file must be in this format,
> >> unless
> >> > you write your own connector.
> >> >
> >> 
> >> Yep.
> >> 
> >> > The server containing the tomcat-users file
> >> definitely
> >> > must be protected.  Yes, this is less secure
> than
> >> > storing the users/passwords in a
> >> directory/database.
> >> >
> >> 
> >> It's hard to talk about "more secure" or "less
> >> secure" unless we define
> >> how you measure this :-).  However, I would
> suggest
> >> that this is not
> >> necessarily true.
> >> 
> >> First, under all circumstances, you should run
> >> Tomcat under a username
> >> other than root.  That username must (obviously)
> >> have read access to the
> >> files in the "conf" directory.  But, *no* other
> >> users on the server should
> >> be able to read those files.  This allows you to
> >> leverage your operating
> >> system's standard protection for files.
> >> 
> >> Second, let's assume that we put the users in a
> >> database instead, and
> >> configure JDBCRealm to have Tomcat talk to it. 
> If
> >> you examine the
> >> configuration parameters you have to set up in
> >> "conf/server.xml", you will
> >> note that you have to specify the database
> username
> >> and password -- so you
> >> are *still* depending on limiting access to the
> >> configuration files, even
> >> if you take this approach.  That doesn't sound
> "more
> >> secure" to me.
> >> 
> >> (An approach that would qualify as "more secure"
> >> would be to challenge the
> >> system administrator for a password when Tomcat
> is
> >> started up.  Some
> >> progress towards building such stuff has taken
> place
> >> with regards to the
> >> "keystore" files used for SSL certificates, but
> not
> >> yet for database
> >> passwords.  And, you have to balance the security
> >> with the extra hassle
> >> that you cannot script a startup of Tomcat
> without
> >> having someone around
> >> to answer the password prompt.)
> >> 
> >> > Tim
> >> >
> >> 
> >> Craig
> >> 
> >> 
> >> --
> >> To unsubscribe:  
> >>
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >> For additional commands:
> >> <mailto:tomcat-user-help@jakarta.apache.org>
> >> Troubles with the list:
> >> <mailto:tomcat-user-owner@jakarta.apache.org>
> >> 
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Make a great connection at Yahoo! Personals.
> >http://personals.yahoo.com
> >
> >--
> >To unsubscribe:  
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >For additional commands:
> <mailto:tomcat-user-help@jakarta.apache.org>
> >Troubles with the list:
> <mailto:tomcat-user-owner@jakarta.apache.org>
> >
> >
> 
> 
> --
> To unsubscribe:  
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands:
> <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list:
> <mailto:tomcat-user-owner@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message