tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Sexton" <>
Subject RE: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords
Date Mon, 28 Feb 2005 15:56:20 GMT
Your argument about short duration attacks is optimistic at best. Most
systems are so poorly secured and monitored, that breakins aren't detected
anywhere near that quickly.

Let's face reality here. The only safe way to hide the JDBC information is
to have the SECRET (encryption password) not available on the server. Any
other method is not secure, it is just obfuscation. The tomcat developers
quite rightly are refusing to implement any kind of scheme that isn't

Look at the startup sequence for Apache using SSL certificates. You have to
type in the password for the private key.

If you really want to do this, then you will need to have your application
startup have a method that permits an operator to enter in the password for
the JDBC information at startup. This means that every time your application
is re-started, an operator will have to re-enter the information before the
application can run.

I'd really suggest you purchase and read Bruce Schneir's book Applied
Cryptography. Plan on spending a several evenings with it.

Just for grins, here's a link to a Javadoc for a crypto system that I
designed for a shopping cart. The overriding design goal was to ensure that
credit card data would not be revealed even if the database were
compromised. I don't see any shortcomings in it, but I haven't opened it up
to public review before.

George Sexton
MH Software, Inc.
Voice: 303 438 9585

> -----Original Message-----
> From: Edmon Begoli [] 
> Sent: Sunday, February 27, 2005 1:15 AM
> To: Tomcat Users List
> Subject: Re: Question for Tomcat Developers - How to Plug In 
> Encryption for JDBC passwords
> Please do not start the flame war. Check what I have to say. 
> I am really 
> not a beginner in this area.
> First, feature I mentioned is commonly implemented on every major 
> application server platform that I know- JBoss, WebSphere, WebLogic, 
> Oracle AS.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message