Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 12764 invoked from network); 13 May 2008 17:36:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 May 2008 17:36:39 -0000 Received: (qmail 59278 invoked by uid 500); 13 May 2008 17:36:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 59252 invoked by uid 500); 13 May 2008 17:36:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 59238 invoked by uid 99); 13 May 2008 17:36:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 10:36:27 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [74.125.46.156] (HELO yw-out-1718.google.com) (74.125.46.156) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 17:35:41 +0000 Received: by yw-out-1718.google.com with SMTP id 5so1596114ywr.54 for ; Tue, 13 May 2008 10:35:50 -0700 (PDT) Received: by 10.150.84.42 with SMTP id h42mr17985ybb.229.1210700150080; Tue, 13 May 2008 10:35:50 -0700 (PDT) Received: by 10.150.181.17 with HTTP; Tue, 13 May 2008 10:35:50 -0700 (PDT) Message-ID: <8ac337d10805131035i4a51885au43f4b84fa99b9dad@mail.gmail.com> Date: Tue, 13 May 2008 10:35:50 -0700 From: "Kevin Williams" To: "Tomcat Users List" Subject: Re: Once again, clear text passwords in context.xml files In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1210688202.29468.2.camel@localhost.localdomain> <4829A9C5.2000100@hanik.com> <1210690151.29468.5.camel@localhost.localdomain> <4829B5A0.8020201@hanik.com> X-Virus-Checked: Checked by ClamAV on apache.org How about hashing the passwords with a known forumla and storing them in this intermediate format. App would need to hash the user input and compare. This might give ur security czars a warmer feeling and get them off ur back. -Kevin On 5/13/08, Milanez, Marcus wrote: > Filip thanks for your reply, > > >> 1. make sure tomcat runs as an account that can't login > Right, that is done > > >> 2. make any file that contains secure information readonly, and readab= le > only by the tomcat user > Done too > > > >> if someone gets onto your machine as an super user, you have bigger > problem than the password being in clear text > > That is the answer everyone gives in tomcat forums all over the internet,= so > it seems to me that no possible solution is available. On the other hand,= is > it right to stay behind a possible security fault (malicious super user > performing login) in order to say I'll not correct known security issues = in > my application? The thing is I'm not responsible for the servers but the > ones who are, keep arguing that this is a crictical security problem. Are > they seeing a big problem in a small one? > > Thanks a lot! > > Marcus > > > > > -----Mensagem original----- > De: Filip Hanik - Dev Lists [mailto:devlists@hanik.com] > Enviada em: ter=E7a-feira, 13 de maio de 2008 12:37 > Para: Tomcat Users List > Assunto: Re: Once again, clear text passwords in context.xml files > > it's a wasted effort, the one way it could be truly secure, was if tomcat > asked you for a key upon startup. this wouldn't work very well in a 1000 > tomcat instance server farm. > > any other effort simply masks the problem, letting you think it is secure= , > when it isn't. > > what you should do is this > 1. make sure tomcat runs as an account that can't login 2. make any file > that contains secure information readonly, and readable only by the tomca= t > user > > if someone gets onto your machine as an super user, you have bigger probl= em > than the password being in clear text > > Filip > > Milanez, Marcus wrote: > > Hello everyove, > > > > We were asked to eliminate clear text passwords associated to database > > pooled connections in context.xml files... I know it has been > > discussed a lot, but I would like to ask once again whether someone > > has a simple, clean solution for that. We are using Windows server and = MS > SQL 2005. > > One of the options I came across is to use Windows Integratd > > authentication instead of database users. Is there any other ideas to > > overcome this situation? > > > > Thanks a lot, > > > > Marcus Milanez > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > > e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --=20 -Kevin --------- If you forward this e-mail to someone else, please remove my e-mail address to help me prevent spam. Thanks! --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org