tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: How to protect the plain text username and password in the server.xml
Date Fri, 29 Oct 2010 10:18:37 GMT
On 29/10/2010 10:19, 彬 乔 wrote:
> Dears,
> 
> We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial
system. An internal audit indicated that we should not use plain text username and password
in the server.xml, as:
> 
> <Resource name="jdbc/JiraDS" auth="Container" type="javax.sql.DataSource"
>     username="user"
>     password="password"
>     ...
> />
> 
> Is there a way to use encrypted username and password in the server.xml file? Or, use
the username and password as parameters of the startup command, instead of leaving them as
plain text in the server.xml?

Just set the permissions of the file to be read-only for the user that
runs Tomcat, and restrict access to that user.

  chmod 600 server.xml

If the user (say 'tomcat') doesn't have a login shell, then only root
will be able read that file.

Encrypting passwords in server.xml is largely a waste of time.


p

Mime
View raw message