tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject RE: Password Input on Tomcat Startup
Date Fri, 08 Feb 2008 10:37:46 GMT
> From: Jan Mönnich [mailto:moennich@dfn-cert.de]
> we have a very sensitive webapp that requires the input of a password
> when the tomcat server starts. We don't want to store this password
> in a file. One way we've already tested could be the use of a JDialog
> with a JPasswordField that is shown in the init() method of a servlet
> (<load-on-startup>1). Unfortunately this requires our server to run
> X11... :-(
>
> Is there any (hidden) way to input this password on the terminal
> tomcat was started from?

Assuming all communication is via HTTPS, an alternative goes roughly as follows:

- Pull any initialisation out of the servlet's init(), leaving just a boolean as to whether
the password's been entered or not;

- Modify the servlet to serve a please-enter-the-password page at a particular URL;

- When the user enters the password, run any init code;

- Refuse to serve any other pages until the password has been entered.

This uses Tomcat's normal interface - HTTP - to your advantage, and probably maintains security
to the level you need - you'll have to evaluate that.  Depends how much control you have over
the webapp, though.

                - Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message