tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Williams" <ke...@netkev.com>
Subject Re: Once again, clear text passwords in context.xml files
Date Tue, 13 May 2008 17:35:50 GMT
How about hashing the passwords with a known forumla and storing them
in this intermediate format.  App would need to hash the user input
and compare.  This might give ur security czars a warmer feeling and
get them off ur back.

-Kevin



On 5/13/08, Milanez, Marcus <Marcus.Milanez@diebold.com> wrote:
> Filip thanks for your reply,
>
> >> 1. make sure tomcat runs as an account that can't login
> Right, that is done
>
> >> 2. make any file that contains secure information readonly, and readable
> only by the tomcat user
> Done too
>
>
> >> if someone gets onto your machine as an super user, you have bigger
> problem than the password being in clear text
>
> That is the answer everyone gives in tomcat forums all over the internet, so
> it seems to me that no possible solution is available. On the other hand, is
> it right to stay behind a possible security fault (malicious super user
> performing login) in order to say I'll not correct known security issues in
> my application? The thing is I'm not responsible for the servers but the
> ones who are, keep arguing that this is a crictical security problem. Are
> they seeing a big problem in a small one?
>
> Thanks a lot!
>
> Marcus
>
>
>
>
> -----Mensagem original-----
> De: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
> Enviada em: terça-feira, 13 de maio de 2008 12:37
> Para: Tomcat Users List
> Assunto: Re: Once again, clear text passwords in context.xml files
>
> it's a wasted effort, the one way it could be truly secure, was if tomcat
> asked you for a key upon startup. this wouldn't work very well in a 1000
> tomcat instance server farm.
>
> any other effort simply masks the problem, letting you think it is secure,
> when it isn't.
>
> what you should do is this
> 1. make sure tomcat runs as an account that can't login 2. make any file
> that contains secure information readonly, and readable only by the tomcat
> user
>
> if someone gets onto your machine as an super user, you have bigger problem
> than the password being in clear text
>
> Filip
>
> Milanez, Marcus wrote:
> > Hello everyove,
> >
> > We were asked to eliminate clear text passwords associated to database
> > pooled connections in context.xml files... I know it has been
> > discussed a lot, but I would like to ask once again whether someone
> > has a simple, clean solution for that. We are using Windows server and MS
> SQL 2005.
> > One of the options I came across is to use Windows Integratd
> > authentication instead of database users. Is there any other ideas to
> > overcome this situation?
> >
> > Thanks a lot,
> >
> > Marcus Milanez
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> > e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
-Kevin
---------
If you forward this e-mail to someone else, please remove my e-mail
address to help me prevent spam.  Thanks!

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message