Return-Path: <users-return-260627-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 75CDC200C23
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 22 Feb 2017 12:26:24 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 746D5160B67; Wed, 22 Feb 2017 11:26:24 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id BD0D3160B49
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 22 Feb 2017 12:26:23 +0100 (CET)
Received: (qmail 98873 invoked by uid 500); 22 Feb 2017 11:26:21 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 98862 invoked by uid 99); 22 Feb 2017 11:26:21 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Feb 2017 11:26:21 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3C662C05B0
	for <users@tomcat.apache.org>; Wed, 22 Feb 2017 11:26:21 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001]
	autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=tetralog.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id amBzi220VMjk for <users@tomcat.apache.org>;
	Wed, 22 Feb 2017 11:26:18 +0000 (UTC)
Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [81.169.146.219])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 3E2B95F1B8
	for <users@tomcat.apache.org>; Wed, 22 Feb 2017 11:26:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1487762771;
	l=3050; s=domk; d=tetralog.com;
	h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:
	Date:From:References:To:Subject;
	bh=75GxjHd99vhn9HcBAqbRPLYYkNiPZWP+Y/QpWT8gpCE=;
	b=KIycfvkJpyMOS+iUXMrR6uShH/BNLzmE/GRmH068pePECaUnGURA/4WdyXA+3DglZn
	3NWXOQQjbx5IPCvWFj1nSzuRr/TqAZ9Au1j4qXmska33P/pcL5ua/1QTRHwtVg7yqDvB
	6Uq6r+UHDEIzmeshwm7LY7bYMPz/VSm5yMj4U=
X-RZG-AUTH: :JWICemC8fuuwd2a1u44qUR4Pn7fWHUdORk9fSvFyQQQYI4h5f2cGpJIZxXMEEBsh
X-RZG-CLASS-ID: mo00
Received: from tetralog.com (p57BD0F71.dip0.t-ipconnect.de [87.189.15.113])
	by smtp.strato.de (RZmta 39.13 DYNA|AUTH)
	with ESMTPA id q0196bt1MBQBJxL
	for <users@tomcat.apache.org>;
	Wed, 22 Feb 2017 12:26:11 +0100 (CET)
Received: from [192.168.40.51] (dku-pc.tetralog.local [192.168.40.51])
	by tetralog.com (Postfix) with ESMTP id E939F8C019E
	for <users@tomcat.apache.org>; Wed, 22 Feb 2017 12:26:50 +0100 (CET)
Subject: Re: Getting application root path before servlet is initialized?
To: Tomcat Users List <users@tomcat.apache.org>
References: <CAJtcoLasrtjDqjmX7Fp3yj2srU_pQYW=SOEyoDs+g_F7hSEVQQ@mail.gmail.com>
 <1d5cc2b4-9a16-0ce8-383e-69a06ab5f78d@apache.org>
 <CAJtcoLZ5e=c+DobXKYvL_8rbpSF3KZqDsKZTDCwori5en8HP0g@mail.gmail.com>
From: =?UTF-8?Q?Daniel_K=c3=bcppers?= <daniel@tetralog.com>
Organization: Tetralog Kunststoffrecycling e.K.
Message-ID: <03d5a55f-7a1b-d713-456e-2dc3838ad1b8@tetralog.com>
Date: Wed, 22 Feb 2017 12:26:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAJtcoLZ5e=c+DobXKYvL_8rbpSF3KZqDsKZTDCwori5en8HP0g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
archived-at: Wed, 22 Feb 2017 11:26:24 -0000

Am 22.02.2017 um 11:19 schrieb Martin Knoblauch:
> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <markt@apache.org> wrote:
>
>> On 21/02/2017 13:31, Martin Knoblauch wrote:
>>> Hi,
>>>
>>>   is there a way to find the absolute path of the application root before
>>> the servlet is initialized?
>>>
>>> Alternatively: is there a way to defer the initialization of a datasource
>>> until the servlet is initialized?
>>>
>>> Background: I have extended "org.apache.tomcat.jdbc.pool.
>> DataSourceFactory"
>>> to automatically set credentials so that they are not stored in the
>>> "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
>>> values in a file below the application root. Works fine if I know that
>> path
>>> at "createDataSource" time.
>> And the decryption key for that file is stored where?
>>
>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>>
>   Thanks for link. It clearly reflects my opinion as well, but the customer
> demand is:
>
> - no plain-text credentials (Big multinational company security policies -
> fight them if you need the fun). And yes, this is all about making auditors
> happy
> - minimize the locations where credentials are stored. This is only lightly
> related to the decrypt issue. Having to store identical stuff in more than
> one place is opening up all other sorts of practical issues
>
>   So, yes - any mechanism that can decrypt needs to store the key somewhere
> and this just shifts away the problem from securing one item to securing
> another one. In my case the application (that I will not reveal here)
> stores encrypted DB credentials in its configuration and provides an API to
> retrieve them decrypted. I guess, the key is somewhere in the source code
> (likely obfuscated to prevent casual hacking by debugging). the less I know
> ... :-)
>
>> In order to avoid hard coding that path, I need a programmatic to find
>> that
>>> value. Unfortunately the datasource is initialized before the servlet, so
>>> "getRealPath()" is not working yet.
>>>
>>> Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
>>> do not want to name :-)
>> Ignoring what I suspect is a fundamental flaw in this plan, you probably
>> want a ServletContextListener and contextInitialized()
>>
>>
> Thanks again for the hint. Will have a look. In the meanwhile  I found a
> way by looking at
>
> this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
>
> Adding some assumptions about the classpath (which are required to be true
> in this whole context) this gives me the needed information :-)
>
> Thanks
> Martin
>
>> Mark
>>
>>
I could imagine that the use of a secure key-value store would be 
helpfull in this scenario.
vault is a great solution for this. quick googling [1] brings a tomcat 
implementation for vault.
If youre not allready familiar with vault, give it a try [2].

Daniel

[1] https://github.com/januslabs/tomcat-vault
[2] https://www.hashicorp.com/vault.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org