tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [OT] Memory Leak in Tomcat
Date Thu, 24 Feb 2011 09:42:52 GMT
Jeffrey Janner wrote:
> Not sure exactly what Windows does once you've entered a verified user/pw combination
for a service.  I'm guessing that it stores the password somehow, because if you change the
password, the service won't start next time.

It is stored in whatever format, encrypted or not or hashed or not, in whatever store the

Domain Controller uses to store user credentials.
It doesn't matter.
NTLM authentication afterward works using "tokens" which somehow encode the information 
needed by a server to verify that the client is who it says it is, and the server is who 
it says it is.
The point is that the password is not stored in clear on the client, when "client" means 
whatever host is trying to authenticate itself.  It is of coursee fleetingly in memory at

some point, to construct the authentication tokens, but is not kept. Only the token is kept.

> However, this is a "nice" (?) feature of using SQL Server.  Already validated user credentials
can be passed by the OS to SQL Server to be validated for database logon.  It's their version
of SSO for the database. (Note: I don't find it an overwhelming advantage for determining
to use that specific database software.)

No it isn't, not in this case.

in the current scenario, the "user" for which there is SSO is the user-id under which the

Tomcat process itself is running.  It is /not/ the users which connect to Tomcat and run 
the applications.
All these users connect to Tomcat, and are or not authenticated using whatever method 
Tomcat implements.
But then, the credentials used to connect to the database are the credentials of the 
Tomcat process, not the ones of the users.
That is why is was questioning how much in fact of a security this brings.
The problem is merely moved, to the level of how users authenticate with the Tomcat 
application. Once they have done that, they can access any information which is accessible

by this Tomcat user.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message