tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parsons Technical Services" <>
Subject Re: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords
Date Sun, 27 Feb 2005 06:00:29 GMT
Okay, I know I am starting a flame war but why go through the effort?

If I can see your encrypted passwords, then I can see the code that decrypts 
them. And with that I have your passwords. It only adds a step to my effort 
to crack your security.

The only way to really secure them is to secure the files they are stored 
in. If you are on Linux or Windoze with NTFS this can be done. Then only you 
and Tomcat can see them. This of course does not exclude the admin/root, but 
if you can't trust them then you have bigger issues.

So in reality don't bother with what is in the files, instead secure the 

If you disagree, then explain how you are going to send the password to 
MySQL?  And some more info on your environment may help us give you some 
other suggestions.

Please don't take this the wrong way. This has been discussed many times 
before and there is no real solution other than as stated above. If you have 
a different idea, please post it. We are open to new ideas and suggestions, 
but with this one, I feel the solution lies in the environment. Please feel 
free to prove me wrong. And yes it has been done before, for I am far from 


----- Original Message ----- 
From: "Edmon Begoli" <>
To: "Tomcat Users List" <>
Sent: Saturday, February 26, 2005 10:08 PM
Subject: Question for Tomcat Developers - How to Plug In Encryption for JDBC 

> Hi,
> I an using Tomcat 5.5.7, and I am planning on upgrading as needed.
> As we all know Tomcat enables me to configure JDBC resources
> that my app can use through the JNDI. My problem is that these passwords 
> have to be stored as a plain text
> which is a very bitter pill in my environment.
> What is the Tomcat class that reads in those plain text values?
> I would like to override this behavior and to enable this class to read 
> digests/encrypted passwords.
> I would also contribute this code to Tomcat code base if desired.
> Please advise,
> Edmon
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message