tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raghupathy, Gurumoorthy" <Gurumoorthy.Raghupa...@nielsen.com>
Subject RE: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 15:15:54 GMT
Hi,
	If you want to do something like that you can then extend 

	"org.apache.commons.dbcp.BasicDataSourceFactory" to
encrypt/decrypt 
	the password...   


	And put it in a package jar and put it in common lib and setup
the 
	datasource as described in JNDI datasource ..... 

	Not an easy solution but can be achieved :) 


Regards
Guru 	

-----Original Message-----
From: Darren [mailto:darrenslists@googlemail.com] 
Sent: 01 May 2007 16:10
To: Tomcat Users List
Subject: Re: Encrypting passwords in the connection pool setup

> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

You've not thought this through.  Tomcat needs to decrypt or somehow  
have the credentials in cleartext so it can pass them to the database  
to establish a connection (MD5 is one way).  If it were possible to  
create the connection with an encrypted password, it would be just as  
sensitive as the unencrypted version.


>> Also,  The encryption doesn't have to be full proof, it just needs  
>> to be a deterrent.  For the most part it is the people with shell  
>> access that I want to remove the ability to read the passwords  
>> from.  Sometimes security through obscurity is enough.

How would this work?  Something like

<Resource name="jdbc/db" auth="Container" type="javax.sql.DataSource"
               driverClassName="com.mysql.jdbc.Driver"
               username="user" obfuscated="true" password="sh7dhkaDaS"
               url="jdbc:mysql://localhost:3306/appraisal? 
autoReconnect=true" />

If so, how do you propose to generate the obfuscated password?  Maybe  
a utility app that ships with the tomcat distribution?  If so a de- 
obfuscater would appear somewhere on the internet in a very short  
space of time.

Don't get me wrong, I'd like to see something done which could  
improve on the current cleartext situation, but I can't think of a  
sensible solution that would warrant a developers time.

Darren


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message