tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:51:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

Martin Dubuc wrote:
> But it strikes me that Tomcat
> is the only application I know where passwords are stored in clear
> text.

I'll bet that Tomcat is the only application that needs to know its own
passwords. Do you have Apache running with SSL? Where do you store the
password for the SSL key? I'll bet that you have a password-less key,
which is just about the same as a cleartext password lying around.

> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

Because UNIX password files are used to authenticate a user typing their
password. In this analogy, Tomcat isn't UNIX, Tomcat is /the user/.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGN2H+9CaO5/Lv0PARAqqrAKDAc7F2rge4Xl0UaND7rhGicN3DYQCdEi4V
c9p5LvXt+HudZAMm/98Y3b4=
=FqMz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message