tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using Environment variables instead of Java -D properties for context.xml substitution
Date Tue, 23 Jan 2018 16:05:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Algirdas,

On 1/23/18 6:11 AM, Algirdas Veitas wrote:
> Thanks for the quick reply George!
> 
> We could, but the data is still available, in this case a file,
> versus in the output of "ps -ef | grep java".  We can obviously
> encrypt the sensitive information.

Use sane file permissions?

While you are at it, why not just put the db username and password
into your application's META-INF/context.xml file where they belong?

> One idea, in order to support injecting Environment Variables would
> be to support a syntax of
> 
> ${env.DB_USER}
> 
> where if the subsitution property starts with "env", then the
> variable could be retrieve by System.getEnv(...) otherwise
> System.getProperty(...).

We *could* do that, but why?

Is there a reason to think that file permissions are easier to break
than, well, file permissions (think /proc/[pid]/environ)?

- -chris

> On Mon, Jan 22, 2018 at 10:19 PM, George Stanchev
> <Gstanchev@serena.com> wrote:
> 
>> Can you use catalina.properties? From the docs [1]
>> 
>> " All system properties are available including those set using
>> the -D syntax, those automatically made available by the JVM and
>> those configured in the $CATALINA_BASE/conf/catalina.properties
>> file."
>> 
>> [1] https://tomcat.apache.org/tomcat-7.0-doc/config/index.html
>> 
>> 
>> -----Original Message----- From: Algirdas Veitas
>> [mailto:apveitas@gmail.com] Sent: Monday, January 22, 2018 4:02
>> PM To: users@tomcat.apache.org Subject: Using Environment
>> variables instead of Java -D properties for context.xml
>> substitution
>> 
>> Hi,
>> 
>> We have a context.xml under $TOMCAT_HOME/conf that looks like
>> this:
>> 
>> <Resource name="jdbc/theDB" auth="Container" 
>> type="javax.sql.DataSource" username="${DB_USERNAME}" 
>> password="${DB_PASSWORD}" 
>> driverClassName="oracle.jdbc.OracleDriver" 
>> validationQuery="select 1 from dual" testOnBorrow="true" 
>> url="${DB_URL}" />
>> 
>> if we do something like this in setenv.sh, the substitution works
>> great
>> 
>> export DB_USERNAME=xyz export DB_PASSWORD=vvv
>> 
>> export JAVA_OPTS="$JAVA_OPTS -DDB_USERNAME=$DB_USERNAME" export
>> JAVA_OPTS="$JAVA_OPTS -DDB_PASSWORD=$DB_PASSWORD"
>> 
>> However, if on a linux box, if someone did a "ps -ef | grep
>> java", they would be able to see the actual values of these
>> parameters.
>> 
>> theuser 127734      1  0 Jan19 ?        00:04:39
>> /opt/java/bin/java 
>> -Djava.util.logging.config.file=/opt/mis/apps/jaspersoft/ 
>> tomcat/apache-tomcat/conf/logging.properties 
>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>
>> 
- -DDB_USERNAME=xyz
>> -DDB_PASSWORD=vvv
>> 
>> Which our operations team does not want....
>> 
>> Is there any syntax that Tomcat can recognize to substitute true 
>> environment variables (i.e. export DB_USERNAME=xyz) as opposed to
>> Java properties injected into the JVM by -D (i.e. export 
>> DB_USERNAME=$DB_USERNAME) ?  Haven't been able to find any
>> documentation on it, but thought would ask.
>> 
>> Thanks in advance, Al
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpnXV0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjcvQ/8Dtu3ftae5LDBrqLD
AZlkomVg2RnuaASPRIeX+wyDsT7+ojjIknJy3l2pw3z9F/7qp98JZR7AsDb8V+ma
ifRuxWEUrfpHmf+Mant+1DlgF56B+o9zMJevD435XwJiH2P2G6OBnopYvq5StDlN
GF0JN+HUtceastqw91P3SRj9DS8q2K36F6b75r5I+JmDXoDHecbtVXxMMwq55u6l
jXY/FzIUAfxmJnsiWZaYZ2+oFdwe4rWxe6vLTKUyAi17w3g7UcXHpXHzq4s7YlKO
zfqkThTnOUi9loRKQSzfOb6kIDMSmM+MHZ/JrXqRrPQ0h1GxOaea4Wnp5rBg4TBI
1fkCiSLbv6oa+olZsIqZCVESSSO1yeZYRkAolENqMyRX+vlDjzKJehyIF8LlsnvY
TjITzqEYsp9xSC15JU1OACmRdkOr9d/dS+5hoKT96cfu11Y+bt5My2lYvxUzGHCH
crdTs4j8C5TPN4mksasOOEfuEg5aad0nj5x2lb4meZwUGiQYxmn13JV8c7I0skOM
NtJX2kSxOLFFIpHZpPbY+cds2oYkfZOGFAKjcye7SGRGhuGFMfGohzZDbXIcgMVK
DeioYT+gc+r6Y2gSvzRPISdlzEeRi4oPrXM42vsRs2qvOaacManAqqIOhdAHdPsZ
a4mP2K3f7yHoWBxCG3zhxjli56o=
=MG1G
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message