tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: running tomcat6 under a different user than root (debian)
Date Mon, 01 Nov 2010 14:38:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 10/29/2010 10:04 AM, Mark Thomas wrote:
> On 29/10/2010 14:53, Ronald Klop wrote:
>> If you have a webapp where users log in you can use there login/password
>> to login on the database. A little bit inconvenient for the DBA but you
>> don't have passwords on your servers.
> 
> It isn't quite that clear cut. There are some trade-offs to make with
> this approach (and I'm not sure I like them).
> 
> 1. The user's password has to be available in plain text. That prevents
> you from storing digested passwords in the realm.

This can be avoided by using a random key created during webapp startup
(and persisted across re-deploys, but not undeploy/deploy) to encrypt
all the passwords during runtime. That key might still be discoverable
using the techniques you've already described (reflection, etc.).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzO0MsACgkQ9CaO5/Lv0PAcqACgvWB5P4lsdOlIGwN8t4fY+S93
TgEAn2109aeRK0pGMAarSECByf1IiHS5
=101I
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message