tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raghupathy, Gurumoorthy" <>
Subject RE: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:15:54 GMT
	If you want to do something like that you can then extend 

	"org.apache.commons.dbcp.BasicDataSourceFactory" to
	the password...   

	And put it in a package jar and put it in common lib and setup
	datasource as described in JNDI datasource ..... 

	Not an easy solution but can be achieved :) 


-----Original Message-----
From: Darren [] 
Sent: 01 May 2007 16:10
To: Tomcat Users List
Subject: Re: Encrypting passwords in the connection pool setup

> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

You've not thought this through.  Tomcat needs to decrypt or somehow  
have the credentials in cleartext so it can pass them to the database  
to establish a connection (MD5 is one way).  If it were possible to  
create the connection with an encrypted password, it would be just as  
sensitive as the unencrypted version.

>> Also,  The encryption doesn't have to be full proof, it just needs  
>> to be a deterrent.  For the most part it is the people with shell  
>> access that I want to remove the ability to read the passwords  
>> from.  Sometimes security through obscurity is enough.

How would this work?  Something like

<Resource name="jdbc/db" auth="Container" type="javax.sql.DataSource"
               username="user" obfuscated="true" password="sh7dhkaDaS"
autoReconnect=true" />

If so, how do you propose to generate the obfuscated password?  Maybe  
a utility app that ships with the tomcat distribution?  If so a de- 
obfuscater would appear somewhere on the internet in a very short  
space of time.

Don't get me wrong, I'd like to see something done which could  
improve on the current cleartext situation, but I can't think of a  
sensible solution that would warrant a developers time.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message