tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Getting application root path before servlet is initialized?
Date Fri, 24 Feb 2017 17:06:18 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 2/22/17 5:19 AM, Martin Knoblauch wrote:
> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <markt@apache.org> 
> wrote:
> 
>> On 21/02/2017 13:31, Martin Knoblauch wrote:
>>> Hi,
>>> 
>>> is there a way to find the absolute path of the application 
>>> root before the servlet is initialized?
>>> 
>>> Alternatively: is there a way to defer the initialization of a 
>>> datasource until the servlet is initialized?
>>> 
>>> Background: I have extended "org.apache.tomcat.jdbc.pool.
>> DataSourceFactory"
>>> to automatically set credentials so that they are not stored
>>> in the "Catalina/localhost/XXX.xml" file. Instead they are
>>> taken from encrypted values in a file below the application
>>> root. Works fine if I know that
>> path
>>> at "createDataSource" time.
>> 
>> And the decryption key for that file is stored where?
>> 
>> https://wiki.apache.org/tomcat/FAQ/Password
>> 
>> 
> Thanks for link. It clearly reflects my opinion as well

Good. At least you know this is all a farce.

> , but the customer demand is:
> 
> - no plain-text credentials (Big multinational company security 
> policies - fight them if you need the fun). And yes, this is all 
> about making auditors happy

Obviously, you are still failing this requirement. The only
requirement you are satisfying is "no plain-text credentials in a
standard configuration file". What you are doing is moving the
plain-text credentials into a non-standard configuration file.

> - minimize the locations where credentials are stored. This is
> only lightly related to the decrypt issue. Having to store
> identical stuff in more than one place is opening up all other
> sorts of practical issues

This is a reasonable requirement, as it helps reduce the attack
surface. But when the attack surface is "a file on the disk", getting
owned means you are owned, regardless of the location of the file(s).

As for the location of the secrets file, would it be possible to store
it *outside* of the web application's on-disk footprint? That will in
fact make you more secure. Let's say for example that a vulnerability
exists in the DefaultServlet, or one of your application's own
servlets. It allows path-traversal or whatever. A file living in your
application will then be potentially remotely-fetchable :( If you move
that file outside of the web application, you have a better change of
preventing that kind of thing.

If the file is located outside of the application, you may be able to
reference it directly -- e.g. /etc/secrets/my-application-secrets.conf

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYsGgKAAoJEBzwKT+lPKRYzeEQAKV4Gn9E2ymPQpY4sQQqmuNW
hTUVT2Wc/yIO5Cy7leyrDCTKIwPgasavmuF1c4qjno+i7Q9utL58s7XkeUYUpJTf
6y/Ry+XcCFtS493YAhNl64oJnAt5++vKSO7/b97qe2NaHbOfAGOH8IsNlyjelPPw
N0an2Z8sjkyTQ+x7Anic239coEUf0wAKJ/lczI4KhkugHiz3JCwUQl/YqKRsgJZ7
UQQbX4lO/8qib+8Bcqgn1OoAf64bYN8J2/7/yB4+fEmEUeRc5NTK3knePDX2VtTr
r62iRlh0a8YHHgEvgPNPwn4CwGF3gBYuv2Wfo6+g8exQpRBMwAIkyW7+FyulALGr
+cCBn1X+9jiY8YZBqJxdweb02kotYga1rTUHAorguGHzGryCrC7KiVy5CdXC9aYj
wTRlEKauXH+G878M0iJw1oMJlEiAOO+5UIW/Jb9T8Z8nhcpgRwb50O4IpwKU84Gn
dMDhkUc6WL2almtlD9gu3/Uzbju41NzZWhEdXcfSr/JafsoiEBl2c1wAP/tgmzSu
GvQnT1OHBpbNcqCOsKfGAi8B/HGwVHuaUCjVuTX8qfVf3EcZ1Y8A4COGLITorawr
AbPgnHrTM9a16o+50Jzzylv4FUieBJlfehMgfRKhlEWPsBkeT0bfnBZGeXtnHsu6
4MzpshE1LrK5LI+5fvEJ
=xzqv
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message