tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: RES: Once again, clear text passwords in context.xml files
Date Wed, 14 May 2008 14:11:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcus,

Milanez, Marcus wrote:
| Filip Hanik wrote:
|> if someone gets onto your machine as an super user, you have bigger
|> problem than the password being in clear text
|
| That is the answer everyone gives in tomcat forums all over the
| internet, so it seems to me that no possible solution is available.

Possible solutions exist... it's just that nobody on the Tomcat team has
implemented any of those solutions in the main code base. You are free
to write your own classes that plug-into Tomcat to read, say, a
3DES-encrypted password with a known passphrase (which must be in the
clear, by the way) and use that for your database connections. You could
also use no password, in which case there's no sensitive information in
the context.xml file ;)

| On the other hand, is it right to stay behind a possible security
| fault (malicious super user performing login) in order to say I'll
| not correct known security issues in my application?

The admin needs to have the password somehow. Or, the password to the
password. Or, the password to the password to the ...

| The thing is I'm not responsible for the servers but the ones who
| are, keep arguing that this is a critical security problem. Are they
| seeing a big problem in a small one?

If your admins see this as a critical security problem, tell them to go
out and find another Java application server that doesn't have the same
issue.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgq8y0ACgkQ9CaO5/Lv0PCYfQCeMsFlR3jWFWANiZYnN3n4YEIQ
uVcAn1vwQ1kWLjrs+Kx89R3HAKI0EU9/
=p7eQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message