tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:49:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard,

Richard DeGrande wrote:
> The ability to store encrypted passwords doesn't necessarily have to
> be used to protect the system from hackers.  This would be a GREAT
> feature to enforce the responsibilities between different roles in a
> development environment.

I solve this problem by using a replaceable set of credentials in the
context.xml file (where I set up my connection pool). When I deploy
using ant, the values are pulled-in from ~/.ant.properties which can be
set per user. In production, the installing user has their own set of
credentials. The creds are left out of revision tracking, so "mere"
developers never know the production creds.

> Also,  The encryption doesn't have to be
> full proof, it just needs to be a deterrent.

The point is that encryption such as this only protects against
accidental disclosure of a password. The password must be decrypted
using a key which is in plain text, so there's no effective security.

> For the most part it is
> the people with shell access that I want to remove the ability to
> read the passwords from.

Then make your files readable only by the user under which Tomcat is run.

> Sometimes security through obscurity is enough.

No. Security through obscurity only protects against accidental
disclosure among friendly users. There are better ways to achieve this
goal (such as using file permissions).

The bottom line is that I don't know of any connection pool that
supports encrypted passwords in the configuration, so this discussion is
entirely academic.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGN2GB9CaO5/Lv0PARAkh7AJ4y+XtFehqMEPsH2N5gxU8pORFxNACcCKni
5gAw3sITPMr0lFhzGwSDHQQ=
=C5m4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message