tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: UserDatabase & security
Date Fri, 18 May 2007 06:54:19 GMT
Jerome Benezech wrote:

> I have a question regarding Tomcat server UserDatabase
> on Linux. 
> When choosing a MemoryUserDatabase, tomcat users and
> passwords are declared in a tomcat-users.xml file. The
> tomcat user running the server must have read
> permission on this file.
> At the same time, all webapps running in tomcat are
> running under the same Linux user ('tomcat'). So any
> webapp can access this file and display its content.
> My app is hosted on a shared Linux server. With the
> present configuration, I can retrieve this file and
> display every user login/password, then if I wanted
> to, I could go into somebody else' webapp manager and
> undeploy it.
> I am a bit worried that somebody would do that to
> me...
> Is there a way to ensure that only the root user can
> read this file ?

Well, Tomcat needs to be able to read that file so you must make it
readable for Tomcat.

OTOH: instead of plaintext passwords you could use digested ones. Take a
look at the "digest" attribute of <Realm> and bin/


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message