tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Арсений Зинченко <setev...@gmail.com>
Subject Re: ssl without keystorePass in open text in server.xml
Date Thu, 30 Jan 2014 10:11:07 GMT
Why are plain text passwords in the config files? Because there is no good
way to "secure" them. When Tomcat needs to connect to a database, it needs
the original password. While the password could be encoded, there still
needs to be a mechanism to decode it. And since the source to Tomcat is
freely available, the attacker would know the decoding method. So at best,
the password is obscured - but not really protected.

http://wiki.apache.org/tomcat/FAQ/Password


2014/1/30 Mark Thomas <markt@apache.org>

> On 30/01/2014 09:46, Ja kub wrote:
> > is it possible not to write keystorePass in open text server.xml, and
> make
> > tomcat to ask for it at startup ?
> > or specify only some hash of it (rather not possible) ?
>
> http://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message