tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hart, Justin" <JH...@sfa.com>
Subject RE: Security Hole - server.xml
Date Wed, 26 Nov 2003 14:13:45 GMT
You're not reusing the passwords anywhere else in the system (IE, you don't have a multi-tier
login, do you?)

If you do, you can quite feasibly shadow the passwords.  I don't know if such an implementation
exists in tomcat, but I would assume that someone, somewhere, has written a realm implementation
that works with a .htaccess file, if not, you can always connect Tomcat to Apache.

Having written a customized realm implementation only yesterday, I can assure you that it
isn't too terribly difficult to do so, as the security is pretty well laid out in Tomcat.

Justin

-----Original Message-----
From: Curley, Thomas [mailto:thomas.curley@euroconex.com]
Sent: Wednesday, November 26, 2003 8:53 AM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml


I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix
file level security - what happens if a hacker gets root priv's ?

thanks

Thomas

-----Original Message-----
From: Tim Funk [mailto:funkman@joedog.org]
Sent: 26 November 2003 13:51
To: Tomcat Users List
Subject: Re: Security Hole - server.xml


The username and password still need decrypted at some time. It just makes 
the attacker jump through 1 hoop.

Using file permissions on the config file as well and server security are the 
ways to go.

-Tim

Curley, Thomas wrote:

> Hi all,
> 
> A direct question arising from a security review :-
> 
>  Using a datasource it is possible to remove the 'username', 'password' or at least encrypt
them using someting like MD5
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

*********************************************************************************************
This email and any attachments are confidential and intended for the sole use of the intended
recipient(s).If you receive this email in error please notify emailadmin@euroconex.com and
delete it from your system. Any unauthorized dissemination, retransmission, or copying of
this email and any attachments is prohibited. Euroconex does not accept any responsibility
for any breach of confidence, which may arise from the use of email. Please note that any
views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the Company. This message has been scanned for known computer viruses.

*********************************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message