Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 86198 invoked from network); 7 Nov 2010 04:44:45 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 7 Nov 2010 04:44:45 -0000 Received: (qmail 68869 invoked by uid 500); 7 Nov 2010 04:45:15 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 68805 invoked by uid 500); 7 Nov 2010 04:45:13 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 68795 invoked by uid 99); 7 Nov 2010 04:45:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Nov 2010 04:45:12 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.131] (HELO eos.apache.org) (140.211.11.131) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Nov 2010 04:45:12 +0000 Received: from eosnew.apache.org (localhost [127.0.0.1]) by eos.apache.org (Postfix) with ESMTP id 523B6A98 for ; Sun, 7 Nov 2010 04:44:36 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Apache Wiki To: Apache Wiki Date: Sun, 07 Nov 2010 04:44:35 -0000 Message-ID: <20101107044435.56818.26612@eosnew.apache.org> Subject: =?utf-8?q?=5BTomcat_Wiki=5D_Trivial_Update_of_=22FAQ/Password=22_by_Konst?= =?utf-8?q?antinKolinko?= Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for ch= ange notification. The "FAQ/Password" page has been changed by KonstantinKolinko. The comment on this change is: Correction: character encoding of server.xml= does not matter. http://wiki.apache.org/tomcat/FAQ/Password?action=3Ddiff&rev1=3D2&rev2=3D3 -------------------------------------------------- = Of course, auditors do not like this answer. So there are some ways to ge= t around this ... * Use properties replacement so that in the xml config you have ${db.pas= sword} and in conf/catalina.properties you put the password there. You are = not safer, but the auditors may be happy. - * Since server.xml uses utf-8 encoding - you can use xml entities. For e= xample: "woot" becomes "&#119;&#111;&#111;&#116;" which is = a way to obscure the password + * Since server.xml is an XML file — you can use XML entities. For e= xample: "woot" becomes "&#119;&#111;&#111;&#116;" which is = a way to obscure the password * Write your own datasource implementation which wraps your datasource a= nd obscure your brains out. See the docs on how to do this. * (Tomcat 7) Write your own org.apache.tomcat.util.!IntrospectionUtils.!= PropertySource implementation to 'decrypt' passwords that are 'encrypted' i= n catalina.properties and referenced via ${...} in server.xml. You'll need = to set the system property org.apache.tomcat.util.digester.PROPERTY_SOURCE = to point to your !PropertySource implmentation. This won't provide any real= security, it just adds another level of indirection - i.e. 'security by ob= scurity'. =20 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org