[ANN] Apache Tomcat Native 1.2.30 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.30 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1k - Fix an issue where some Windows systems in some configurations would only listen on IPv6 addresses on dual stack systems even though configured to listen on both IPv6 and IPv4 addresses. - Additional fix for bug 65181 (support loading private keys in proprietary formats) Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
xcorpius, On 6/7/21 06:44, xcorpius wrote: Just one more thing. I understand my mistake with the difference between encryption and digest. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 context.xml: ... password="passwordfile=secret.txt;NRFCIWRNFUGUWRMWUOGRXGRHOWRZFGWHFEO" /> ... secret.txt password=tiger This is the level of security JBoss provides. If it's more complicated than that, it just degrades to this solution. I cannot fathom why "configuration files must not contain plaintext credentials" somehow doesn't cover secret.txt. Maybe context.xml counts as a "configuration file" but secret.txt counts as a "password file". I dunno. If you use the Tomcat Vault, you still have to have the vault password somewhere. That's why we say it's "moving the goalposts": it doesn't actually solve the problem: it just moves the problem elsewhere. We have tried to make everything we've said in this thread abundantly clear in the FAQ. If you think something isn't very clear, please let us know how we can improve it. -chris ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Pi Based Java Work
John, On 6/6/21 09:41, John Dale (DB2DOM) wrote: The limit query was repeating data at the borders of my pages. I whittled it down to a specific case and it was definitely not sorting properly. Very strange behavior! I'd be interested in reading the bug report. -chris On 6/1/21, Christopher Schultz wrote: John, On 5/28/21 20:21, John Dale wrote: MariaDB has a sorting/limit problem that I haven't reported, yet (had to work around it). I'm interested in this. What is happening to you? -chris On 5/28/21, Christopher Schultz wrote: John, On 5/28/21 15:32, John Dale wrote: I debugged the server and it's not reaching my component. > > Request post is around 300K. Tomcat 9 on a raspberry pi 4 (w00t!). Maybe you are still just waiting around for that tiny CPU to run all that bytecode. /snark Seriously, though, I'd be interested to hear about your pi-based Java work in another thread. I have 2 Pi 4s and 2 Pi Zeros that I haven't managed to do anything with besides running EmulationStation (which I highly recommend for anyone who grew up with an NES. Pew-pew!). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Strange error with JSP
Chris [major snippage] CS> app/work/Catalina/localhost/[$context]/org/apache/jsp/admin/ CS> SessionSnooper_jsp.java exist and have file-dates from way back CS> in 2016. (No recent changes) CS> This is Tomcat 8.5.65 from a stock ASF-distrubuted tarball, CS> launched using "catalina.sh start". Nothing fancy. CS> org.apache.jasper.compiler.Compiler.isOutDated(Compiler.java:464) *Something* must have changed, perhaps out of your control? I vaguely remember a few years back a customer was having a problem with a page not loading due to a compile error. The problem happened after we deployed a single-JSP fix at the same time the IT department changed the TC compiler or Java version. The problem went away eventually, I'm guessing after the IT dept did another something. Can you make a copy of the JSP and edit it in-place down to the bare minimum that it will still generate the exception? That way the new copy of the code is freshly compiled and you have the possibility of narrowing things down? IOW, if you can't figure out what it is, figure out what it is not. Is there a JAR file out of place? -- Cris Berneburg CACI Senior Software Engineer This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Thanks Mark, This answer clears all my doubts. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 13:19, Mark Thomas wrote: > On 07/06/2021 11:44, xcorpius wrote: > > > Just one more thing. > > I understand my mistake with the difference between encryption and digest. > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > > Ok, but the question is: Why can Weblogic encrypt the password and Tomcat > > can't? > > It can't. > > All Weblogic is doing is moving the goalposts. The database password may > be encrypted that just means the decryption key needs to be provided in > plain text instead. No matter how many levels of indirection (or perhaps > that should be misdirection) are applied, ultimately the application > server process needs access to a secret in plain text. > > However complex the window dressing, it will come down to the operating > system limiting access to the plain text secret to one or more users. > This is fundamentally no different to the Tomcat recommendation to use > OS file permissions to limit access to the configuration file where the > secret is stored to the user used by Tomcat and root (or equivalent). > > If you want to allow more general read access to configuration files > then there are simple ways to move the secrets to a separate, more > tightly controlled file. > > Mark > > > https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 > > Thanks, > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Monday, 7 de June de 2021 11:42, Mark Thomas ma...@apache.org wrote: > > > > > On 07/06/2021 09:56, xcorpius wrote: > > > > > > > Hello again! > > > > Checking the documentation ... Tomcat can create an encrypted password > > > > with the "digest.sh" tool for application passwords. > > > > But you cannot create an encrypted password for the DB in the > > > > context.xml file. The only solution without adding anything is to give > > > > restrictive permissions to the context.xml file. > > > > Wouldn't it be the same problem? > > > > > > No. > > > > > > > Why can't I generate an encrypted password for the database with the > > > > "digest.sh" tool instead of having to use a customized "factory"? > > > > > > Digesting != encrypting. > > > Digests are one-way functions. A digested password is no use to a client > > > that needs to authenticate itself to a server. > > > > > > > I think people who develop Tomcat should consider this option. > > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > Mark > > > > > > > Thank you very much to all. > > > > Xcorpius > > > > Sent with ProtonMail Secure Email. > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > > > wrote: > > > > > > > > > :-) > > > > > Sent with ProtonMail Secure Email. > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com > > > > > wrote: > > > > > > > > > > > And when that isn't good enough for your senior management, take a > > > > > > look at the Tomcat Vault in GITHUB. :-) > > > > > > Dream * Excel * Explore * Inspire > > > > > > Jon McAlexander > > > > > > Infrastructure Engineer > > > > > > Asst Vice President > > > > > > Middleware Product Engineering > > > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > > > Solutions > > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > > > MAC: F4469-010 > > > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > > jonmcalexan...@wellsfargo.com > > > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, > > > > > > 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 > > > > > > This message may contain confidential and/or privileged > > > > > > information. If you are not the addressee or authorized to receive > > > > > > this for the addressee, you must not use, copy, disclose, or take > > > > > > any action based on this message or any information herein. If you > > > > > > have received this message in error, please advise the sender > > > > > > immediately by reply e-mail and delete this message. Thank you for > > > > > > your cooperation. > > > > > > > > > > > > > -Original Message- > > > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > > > To: users@tomcat.apache.org > > > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > > > context.xml file - Tomcat 9 > > > > > > > Thanks Olaf > > > > > > > Mensaje original > > > > >
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07/06/2021 11:44, xcorpius wrote: Just one more thing. I understand my mistake with the difference between encryption and digest. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? It can't. All Weblogic is doing is moving the goalposts. The database password may be encrypted that just means the decryption key needs to be provided in plain text instead. No matter how many levels of indirection (or perhaps that should be misdirection) are applied, ultimately the application server process needs access to a secret in plain text. However complex the window dressing, it will come down to the operating system limiting access to the plain text secret to one or more users. This is fundamentally no different to the Tomcat recommendation to use OS file permissions to limit access to the configuration file where the secret is stored to the user used by Tomcat and root (or equivalent). If you want to allow more general read access to configuration files then there are simple ways to move the secrets to a separate, more tightly controlled file. Mark https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 Thanks, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Just one more thing. I understand my mistake with the difference between encryption and digest. > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 Thanks, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: > On 07/06/2021 09:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? > > No. > > > Why can't I generate an encrypted password for the database with the > > "digest.sh" tool instead of having to use a customized "factory"? > > Digesting != encrypting. > > Digests are one-way functions. A digested password is no use to a client > that needs to authenticate itself to a server. > > > I think people who develop Tomcat should consider this option. > > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. > > Mark > > > Thank you very much to all. > > Xcorpius > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > wrote: > > > > > :-) > > > Sent with ProtonMail Secure Email. > > > ‐‐‐ Original Message ‐‐‐ > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > > > > > And when that isn't good enough for your senior management, take a look > > > > at the Tomcat Vault in GITHUB. :-) > > > > Dream * Excel * Explore * Inspire > > > > Jon McAlexander > > > > Infrastructure Engineer > > > > Asst Vice President > > > > Middleware Product Engineering > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > MAC: F4469-010 > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, > > > > 12/29/2020, 12/30/2020, 12/31/2020 > > > > This message may contain confidential and/or privileged information. If > > > > you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action based > > > > on this message or any information herein. If you have received this > > > > message in error, please advise the sender immediately by reply e-mail > > > > and delete this message. Thank you for your cooperation. > > > > > > > > > -Original Message- > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > To: users@tomcat.apache.org > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > context.xml file - Tomcat 9 > > > > > Thanks Olaf > > > > > Mensaje original > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > please check this article: > > > > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Thanks Mark for your clarifications. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: > On 07/06/2021 09:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? > > No. > > > Why can't I generate an encrypted password for the database with the > > "digest.sh" tool instead of having to use a customized "factory"? > > Digesting != encrypting. > > Digests are one-way functions. A digested password is no use to a client > that needs to authenticate itself to a server. > > > I think people who develop Tomcat should consider this option. > > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. > > Mark > > > Thank you very much to all. > > Xcorpius > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > wrote: > > > > > :-) > > > Sent with ProtonMail Secure Email. > > > ‐‐‐ Original Message ‐‐‐ > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > > > > > And when that isn't good enough for your senior management, take a look > > > > at the Tomcat Vault in GITHUB. :-) > > > > Dream * Excel * Explore * Inspire > > > > Jon McAlexander > > > > Infrastructure Engineer > > > > Asst Vice President > > > > Middleware Product Engineering > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > MAC: F4469-010 > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, > > > > 12/29/2020, 12/30/2020, 12/31/2020 > > > > This message may contain confidential and/or privileged information. If > > > > you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action based > > > > on this message or any information herein. If you have received this > > > > message in error, please advise the sender immediately by reply e-mail > > > > and delete this message. Thank you for your cooperation. > > > > > > > > > -Original Message- > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > To: users@tomcat.apache.org > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > context.xml file - Tomcat 9 > > > > > Thanks Olaf > > > > > Mensaje original > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > please check this article: > > > > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Ok, thank you very much Olaf. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:36, Olaf Kock wrote: > On 07.06.21 10:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? Why can't I generate an encrypted password > > for the database with the "digest.sh" tool instead of having to use a > > customized "factory"? > > I think people who develop Tomcat should consider this option. > > Thank you very much to all. > > Sorry, those are not the same: Digested passwords cannot be undigested, > but any digestion of the same password reveals the same digested result, > so that they can be compared. (read about the difference between hashing > and encryption) > > For a database connection, you'll need to undigest (e.g. unencrypt) the > password and get it in clear text. And that's precisely what the FAQ > answers as impossible to do securely (without requiring manual input of > keys at each startup) > > There's nothing here to consider that hasn't been considered before. > > Olaf > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > Hi, > > > > > > > please check this article: > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07.06.21 10:56, xcorpius wrote: > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > file. The only solution without adding anything is to give restrictive > permissions to the context.xml file. > > Wouldn't it be the same problem? Why can't I generate an encrypted password > for the database with the "digest.sh" tool instead of having to use a > customized "factory"? > > I think people who develop Tomcat should consider this option. > > Thank you very much to all. Sorry, those are not the same: Digested passwords cannot be undigested, but any digestion of the same password reveals the same digested result, so that they can be compared. (read about the difference between hashing and encryption) For a database connection, you'll need to undigest (e.g. unencrypt) the password and get it in clear text. And that's precisely what the FAQ answers as impossible to do securely (without requiring manual input of keys at each startup) There's nothing here to consider that hasn't been considered before. Olaf >> Hi, >> I wanted to ask about how to encrypt database passwords in the >> context.xml file in Tomcat 9. > Hi, > please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > It covers the topic once and for all... > Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about encrypting database passwords in the context.xml file - Tomcat 9
Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? I think people who develop Tomcat should consider this option. Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius wrote: > :-) > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > And when that isn't good enough for your senior management, take a look at > > the Tomcat Vault in GITHUB. :-) > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Infrastructure Engineer > > Asst Vice President > > Middleware Product Engineering > > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, > > 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, > > 12/30/2020, 12/31/2020 > > This message may contain confidential and/or privileged information. If you > > are not the addressee or authorized to receive this for the addressee, you > > must not use, copy, disclose, or take any action based on this message or > > any information herein. If you have received this message in error, please > > advise the sender immediately by reply e-mail and delete this message. > > Thank you for your cooperation. > > > > > -Original Message- > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > Sent: Monday, April 26, 2021 8:36 AM > > > To: users@tomcat.apache.org > > > Subject: Re: Question about encrypting database passwords in the > > > context.xml file - Tomcat 9 > > > Thanks Olaf > > > Mensaje original > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > Hi, > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > Hi, > > > > please check this article: > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > It covers the topic once and for all... > > > > Olaf > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org