tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Funnell <simon.funn...@propositum.biz>
Subject Re: How to protect the plain text username and password in the server.xml
Date Fri, 29 Oct 2010 10:09:45 GMT
It is possible to define the element as an entity in server.xml:

|<!ENTITY secure_resource SYSTEM "http://somewhere.com/resource.xml">|

and then replace the Resource element with the entity:

&|secure_resource

Because the entity resolves to an external source, this source can be
generated dynamically, by a script for example.

This script could potentially be limited in execution to the tomcat
user/instance.

Other users who can possibly read the script that generates the the
username/password, but not execute it, cannot get the username/password.

Regards,

Simon

|
On 29/10/10 10:19, 彬 乔 wrote:
> Dears,
>
> We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial
system. An internal audit indicated that we should not use plain text username and password
in the server.xml, as:
>
> <Resource name="jdbc/JiraDS" auth="Container" type="javax.sql.DataSource"
>     username="user"
>     password="password"
>     ...
> />
>
> Is there a way to use encrypted username and password in the server.xml file? Or, use
the username and password as parameters of the startup command, instead of leaving them as
plain text in the server.xml?
>
> Thanks,
>
> Roy Qiao
>
>
>       
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message