tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Dubuc" <martind1...@gmail.com>
Subject Re: Encrypting passwords in the connection pool setup
Date Tue, 01 May 2007 14:52:48 GMT
Mark,

I also don't feel quite at ease to see passwords in clear text in the
server.xml file. True, if the protection on that file is set up
properly, there shouldn't be much issue. But it strikes me that Tomcat
is the only application I know where passwords are stored in clear
text. Why wouldn't we at least store the MD5 hash of the passwords
instead of the password in clear text, or use a scheme similar to the
Unix /etc/passwd file? I do agree with Richard that there is more to
it than protecting from hackers. Enforcing the responsabilities
between different roles is also very important.

Martin

On 5/1/07, Richard DeGrande <RDegrand@co.jefferson.co.us> wrote:
> Mark,
>
> The ability to store encrypted passwords doesn't necessarily have to be used to protect
the system from hackers.  This would be a GREAT feature to enforce the responsibilities between
different roles in a development environment.  Also,  The encryption doesn't have to be full
proof, it just needs to be a deterrent.  For the most part it is the people with shell access
that I want to remove the ability to read the passwords from.  Sometimes security through
obscurity is enough.
>
> >>> Mark Thomas <markt@apache.org> 4/30/2007 5:30 PM >>>
> Kelly J Flowers wrote:
> > I'm using Tomcat 5.5 to run a web application.  I have the connection pools
> > set up and working in the context.xml but the password is in plain text.
> > Does anyone know of a way to encrypt the password and username to the
> > database?
>
> This is nearly always pointless. A couple of points to consider:
> 1. If the password is encrypted, where do you store the decryption key?
> 2. If an attacker can read the context.xml file they probably have
> shell access to your box. In this case you have bigger problems.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message