Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 81861 invoked from network); 27 Feb 2005 16:59:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 27 Feb 2005 16:59:58 -0000 Received: (qmail 91431 invoked by uid 500); 27 Feb 2005 16:59:35 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 91410 invoked by uid 500); 27 Feb 2005 16:59:35 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 91397 invoked by uid 99); 27 Feb 2005 16:59:34 -0000 X-ASF-Spam-Status: No, hits=0.4 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from mpls-qmqp-01.inet.qwest.net (HELO mpls-qmqp-01.inet.qwest.net) (63.231.195.112) by apache.org (qpsmtpd/0.28) with SMTP; Sun, 27 Feb 2005 08:59:33 -0800 Received: (qmail 95468 invoked by uid 0); 27 Feb 2005 16:59:32 -0000 Received: from unknown (63.231.195.13) by mpls-qmqp-01.inet.qwest.net with QMQP; 27 Feb 2005 16:59:32 -0000 Received: from vdsl-130-13-0-2.phnx.qwest.net (HELO redfish) (130.13.0.2) by mpls-pop-13.inet.qwest.net with SMTP; 27 Feb 2005 16:59:31 -0000 Date: Sun, 27 Feb 2005 10:01:55 -0700 Message-ID: From: "Richard Mixon (qwest)" To: "Tomcat Users List" Subject: RE: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Importance: Normal In-Reply-To: <422139AE.4060107@gmail.com> X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Edmon, I am not sure if I understand, but perhaps you should tak a look at Matt Raible's Appfuse application framework at: https://appfuse.dev.java.net/ His solution uses: - SSL (optional of course, just a servlet parameter); - Container Managed Authentication; - a custom login servlet that encrypts the passwords (SHA is the default, but algorithm can vary); - username and password stored in a database (the password is encrypted using SHA). The only exposure of the passwords might be in your web server "access" logs. If that too is a concern, you could also take a look at trying to do SHA encryption of the password on the client web browser using Javascript - not sure if that's feasible or not. The login servlet would then need to be adjusted appropriately (i.e. it would not need to do the SHA encryption). HTH - Richard Edmon Begoli wrote: > Hi, > > I an using Tomcat 5.5.7, and I am planning on upgrading as needed. > > As we all know Tomcat enables me to configure JDBC resources > that my app can use through the JNDI. My problem is that these > passwords have to be stored as a plain text > which is a very bitter pill in my environment. > > What is the Tomcat class that reads in those plain text values? > > I would like to override this behavior and to enable this class to > read digests/encrypted passwords. > I would also contribute this code to Tomcat code base if desired. > > Please advise, > Edmon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org