tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Medina <cerebrotecnolog...@gmail.com>
Subject Re: [OT] Memory Leak in Tomcat
Date Wed, 02 Mar 2011 03:07:04 GMT
I got a good laugh with your message.

Security seems to be always in the hands of the wrong people.

Once I asked for the algorithm used to hash the passwords (that
happened to be HMAC SHA-1) into a database, if I was going to
authenticate the users, I needed to use the same algorithm. I did not
ask for the key used to salt the hash, I could put that as a parameter
to be provided at install time and use any other key during
development and testing. My request was rejected until authorized by a
manager two levels up!  <sigh> (All I needed to know was "HMAC
SHA-1"!)




On Mon, Feb 28, 2011 at 11:02 AM, Christopher Schultz
<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> הילה,
>
> On 2/28/2011 5:17 AM, הילה wrote:
>> How can I encrypt the password inside the xml file?
>
> 0. $file = conf/server.xml
> 1. Use your favorite encryption tool to encrypt the password and shove
>   it into $file
> 2. Use that same tool in some code you hack-into Tomcat to read it
>   back out.
> 3. Store the key to your favorite-tool encryption package in another
>   file (say, s3cr3t.key)
> 4. $file = s3cr3t.key
> 5. Go to step 1.
>
> Repeat this process until you feel like you're safe. (Hint: you are
> still not safe). Scratch that: repeat this process until your boss or
> your auditor feel like they are safe.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1rxwwACgkQ9CaO5/Lv0PCtGQCgtxVxV9+N0AvRuYw0U6mi9ki1
> ikgAn1xQNqRRtSKby531xKRHizxzEFwD
> =uuFd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message