tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <qm...@brandxdev.net>
Subject Re: Tomcat Realm--> pasword encryption & servlet location in a webApp
Date Thu, 05 Aug 2004 13:15:55 GMT
On Thu, Aug 05, 2004 at 10:02:34AM +0200, Ben Bookey wrote:
: 1) I think I remember reading somewhere that there was a .bat batch file
: which we could run
: on production machines, so that passwords are encrypted. Can anyone
: enlighten ?

Maybe you're thinking of the Catalina convenience class to output hashed
passwords based on (plaintext) user input, for use with the various
Reaml impls?


: 2) Whats the best configuration mechanism for my servlets? I think its
: better to add the
: the servlets to my com.mycompany.myapp package (or?),

Unless you have some strange security manager requirements, the
locations of your servlet classes within a package structure are
irrelevant to application-level security.


: BUT, is it a security
: flaw when
: I set in my app, the <url-pattern> begininning with /servlet/* (see below
: example). I again have read that the
: servlet url-pattern should not begin with /servlet

That's some old security-though-obscurity advice, which argues that such
a URI prefix would let potential attackers know that you're using
servlets, and such information would help them formulate an attack.

At the risk of starting a flame war, I won't say where I stand on that
issue. ;)

I sympathize with your desire to have a "secure" app.  As long as your
application's infrastructure (network, machines, software versions) is
reasonably locked down, then you (the app developer) should focus on
checking for malformed input and requests.

(Easier said than done, yes.)

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message