tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spencer Lamont R CONTR USSTRATCOM/J646 <lamont.r.spencer....@stratcom.mil>
Subject RE: Number of logs files and encrypt manager passwd
Date Mon, 15 Jul 2013 15:45:42 GMT
Suggestions

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, July 15, 2013 10:35 AM
To: Tomcat Users List
Subject: Re: Number of logs files and encrypt manager passwd

Spencer Lamont R CONTR USSTRATCOM/J646 wrote:
> Dan:
> 
>  1. 7.0.14
> 2. attachment.
> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

You realise that this is somewhat ridiculous, I suppose ?
What these instructions make you do, is replace one plain-text password in
the file, by another plain-text password.  That the 2d password happens to
be the result of hashing the first one does not change that.
Anyone getting access to the tomcat-users.xml file, can now use the password
that is in there, to login as manager.

Of course, the key here is "Anyone getting access to the tomcat-users.xml
file". That is what you should protect.  If any unauthorised person can get
access to any of your server's configuration files, you are in deep trouble
anyway.

> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646 
> <lamont.r.spencer.ctr@stratcom.mil> wrote:
> 
>> To all: 
>>
>>   I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the 
> default configuration does not offer a way to do what you are asking.  
> It simply creates a new log file every day.  You would need to 
> manually clean them up with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up 
> old files.
> 
>   https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. 
>> I
> did the steps with the realm and users file, but when I went to access 
> the page it would not work. When I put the unencrypted passwd back it
works.
> 
> You're going to need to provide more information here.  Start by 
> including this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 
> 6.0.x or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include 
> the XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message