tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <>
Subject Re: any standart way to keep passwords encripted???
Date Fri, 02 Apr 2004 23:37:53 GMT
Hi.  I've had some time to think about this subject especially since 
others have brought it up before.

The real honest to goodness problem is that eventually you'll need to 
deal with a password.  That's just unavoidable.  You could encrypt the 
password, but that would just need another password to decrypt it before 
making it useful.  Even SSL has a server.key file (the server's private 
key) that needs to be guarded with the highest security available. 

The only really secure way to deal with it and not have a plain text 
password hanging around somewhere is to possibly have the admin enter 
the password on startup.  I don't know about you, but I'm not crazy 
about babysitting a server or having the site down until I can sit at a 
console and put in a password :-(.

Just properly secure the server.xml (or context.xml) file with read only 
access and only for the user tomcat is launched as.  Also make sure it's 
in a place guaranteed not to be served out by any means.  I have mine in 
/etc/tomcat5 and symlinked the conf directory in tomcat to /etc/tomcat5.

Lastly, look at ways to limit the impact of a compromised password 
(firewalls, ACL's, change passwords on a routine basis, minimum 
privilege, etc, ...).

Just my three cents on the matter.  It's Friday -- time for happy hour.

--David Smith, CISSP

Emerson Cargnin wrote:

> How can I mantain databases passwords without :
> - Being put in the code (arghhhh)
> - Being in plain text in server.xml (as configured for tomcat)
> I use another approache than the pool from tomcat, that consist in a 
> separate servlet and a PoolManager, which is accessed in a static way. 
> (so other apps can reference the same instance...). In the servlet I 
> read the init properties from web-xml that follows a pattern 
> (poolname1,dbuser1,dbpass1, and so on for all pools). In the 
> application I just as for the pool by the name of it. It works and I 
> can change the pool implementation without impacting in any code of 
> the application. We are thinking in not let the password in plain text 
> in the web.xml. I though of 2 approaches:
> - Read the web.xml by a standalone app and encript the password, in my 
> connection servlet I read it and decritp it.
> - Have a separate file for each pool, this file,encripted, would 
> contain info about each pool.
> BTW, is there any way to use the same pool for more than one app, 
> using tomcat pool configuration ???
> thanks in advance
> Emerson
> Emerson Cargnin wrote:
>> Is there any standart way to keep the passwords of databases 
>> encripted when creating a pool through tomcat?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message