tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard DeGrande" <RDegr...@co.jefferson.co.us>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 14:31:02 GMT
Mark,

The ability to store encrypted passwords doesn't necessarily have to be used to protect the
system from hackers.  This would be a GREAT feature to enforce the responsibilities between
different roles in a development environment.  Also,  The encryption doesn't have to be full
proof, it just needs to be a deterrent.  For the most part it is the people with shell access
that I want to remove the ability to read the passwords from.  Sometimes security through
obscurity is enough.  

>>> Mark Thomas <markt@apache.org> 4/30/2007 5:30 PM >>>
Kelly J Flowers wrote:
> I'm using Tomcat 5.5 to run a web application.  I have the connection pools
> set up and working in the context.xml but the password is in plain text.
> Does anyone know of a way to encrypt the password and username to the
> database?

This is nearly always pointless. A couple of points to consider:
1. If the password is encrypted, where do you store the decryption key?
2. If an attacker can read the context.xml file they probably have
shell access to your box. In this case you have bigger problems.

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org 
For additional commands, e-mail: users-help@tomcat.apache.org 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message