tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren <>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:09:38 GMT
> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

You've not thought this through.  Tomcat needs to decrypt or somehow  
have the credentials in cleartext so it can pass them to the database  
to establish a connection (MD5 is one way).  If it were possible to  
create the connection with an encrypted password, it would be just as  
sensitive as the unencrypted version.

>> Also,  The encryption doesn't have to be full proof, it just needs  
>> to be a deterrent.  For the most part it is the people with shell  
>> access that I want to remove the ability to read the passwords  
>> from.  Sometimes security through obscurity is enough.

How would this work?  Something like

<Resource name="jdbc/db" auth="Container" type="javax.sql.DataSource"
               username="user" obfuscated="true" password="sh7dhkaDaS"
autoReconnect=true" />

If so, how do you propose to generate the obfuscated password?  Maybe  
a utility app that ships with the tomcat distribution?  If so a de- 
obfuscater would appear somewhere on the internet in a very short  
space of time.

Don't get me wrong, I'd like to see something done which could  
improve on the current cleartext situation, but I can't think of a  
sensible solution that would warrant a developers time.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message