tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Len Popp" <>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:01:03 GMT
Mark, I've heard that argument before, and it has never made sense to
me. If an attacker has read access to one box, that box had better not
have passwords for all the other servers in plain text files!

Security isn't all-or-nothing. There are levels of security, and you
want to get as much security as you reasonably can. Encrypting
passwords or hiding them in compiled code certainly raises the bar for
someone trying to access something they shouldn't - instead of just
reading the password, they'd have to hack the program or break the
encryption. Most people don't have the skill to do that. Not all
security breaches are caused by genius hackers who know every security
hole in every OS. You also have to consider people such as the company
insider who searches the network for credit card records he can sell.

To put it another way, why do you bother locking the front door of
your house? It's completely insecure compared to a bank vault, so why
worry about security at all?

On 4/30/07, Mark Thomas <> wrote:
> Kelly J Flowers wrote:
> > I'm using Tomcat 5.5 to run a web application.  I have the connection pools
> > set up and working in the context.xml but the password is in plain text.
> > Does anyone know of a way to encrypt the password and username to the
> > database?
> This is nearly always pointless. A couple of points to consider:
> 1. If the password is encrypted, where do you store the decryption key?
> 2. If an attacker can read the context.xml file they probably have
> shell access to your box. In this case you have bigger problems.
> Mark
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message