tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From הילה <hilavalen...@gmail.com>
Subject Re: [OT] Memory Leak in Tomcat
Date Sun, 06 Mar 2011 09:49:59 GMT
Security seems to be always in the hands of the wrong people.

No need for insults here, this is a new requirement which I'm not familiar
with, and that's why I asked you guys..


Instead of the JTDS, can I use Tomcat Spengo?
will it provide same results, as using a domain user for the tomcat windows
service, and removing user and password from xml configuration file under
conf/catalina/localhost ?


Thanks
Hila

2011/3/2 Jorge Medina <cerebrotecnologico@gmail.com>

> I got a good laugh with your message.
>
> Security seems to be always in the hands of the wrong people.
>
> Once I asked for the algorithm used to hash the passwords (that
> happened to be HMAC SHA-1) into a database, if I was going to
> authenticate the users, I needed to use the same algorithm. I did not
> ask for the key used to salt the hash, I could put that as a parameter
> to be provided at install time and use any other key during
> development and testing. My request was rejected until authorized by a
> manager two levels up!  <sigh> (All I needed to know was "HMAC
> SHA-1"!)
>
>
>
>
> On Mon, Feb 28, 2011 at 11:02 AM, Christopher Schultz
> <chris@christopherschultz.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > הילה,
> >
> > On 2/28/2011 5:17 AM, הילה wrote:
> >> How can I encrypt the password inside the xml file?
> >
> > 0. $file = conf/server.xml
> > 1. Use your favorite encryption tool to encrypt the password and shove
> >   it into $file
> > 2. Use that same tool in some code you hack-into Tomcat to read it
> >   back out.
> > 3. Store the key to your favorite-tool encryption package in another
> >   file (say, s3cr3t.key)
> > 4. $file = s3cr3t.key
> > 5. Go to step 1.
> >
> > Repeat this process until you feel like you're safe. (Hint: you are
> > still not safe). Scratch that: repeat this process until your boss or
> > your auditor feel like they are safe.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk1rxwwACgkQ9CaO5/Lv0PCtGQCgtxVxV9+N0AvRuYw0U6mi9ki1
> > ikgAn1xQNqRRtSKby531xKRHizxzEFwD
> > =uuFd
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message