tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Number of logs files and encrypt manager passwd
Date Mon, 15 Jul 2013 15:35:15 GMT
Spencer Lamont R CONTR USSTRATCOM/J646 wrote:
> Dan:
> 
>  1. 7.0.14
> 2. attachment.
> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

You realise that this is somewhat ridiculous, I suppose ?
What these instructions make you do, is replace one plain-text password in the file, by 
another plain-text password.  That the 2d password happens to be the result of hashing the

first one does not change that.
Anyone getting access to the tomcat-users.xml file, can now use the password that is in 
there, to login as manager.

Of course, the key here is "Anyone getting access to the tomcat-users.xml file". That is 
what you should protect.  If any unauthorised person can get access to any of your 
server's configuration files, you are in deep trouble anyway.

> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646
> <lamont.r.spencer.ctr@stratcom.mil> wrote:
> 
>> To all: 
>>
>>   I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the default
> configuration does not offer a way to do what you are asking.  It simply
> creates a new log file every day.  You would need to manually clean them up
> with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up old
> files.
> 
>   https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. I
> did the steps with the realm and users file, but when I went to access the
> page it would not work. When I put the unencrypted passwd back it works.
> 
> You're going to need to provide more information here.  Start by including
> this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 6.0.x
> or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include the
> XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message