I commented on this in the following article - http://www.owasp.org/
index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.
2Fserver.xml
In short, no.
There was also some further discussion on one of the OWASP list
recently -
Mark,
The ability to store encrypted passwords doesn't necessarily have to be used to
protect the system from hackers. This would be a GREAT feature to enforce the
responsibilities between different roles in a development environment. Also,
The encryption doesn't have to be full proof, it
Mark,
I also don't feel quite at ease to see passwords in clear text in the
server.xml file. True, if the protection on that file is set up
properly, there shouldn't be much issue. But it strikes me that Tomcat
is the only application I know where passwords are stored in clear
text. Why wouldn't
Mark, I've heard that argument before, and it has never made sense to
me. If an attacker has read access to one box, that box had better not
have passwords for all the other servers in plain text files!
Security isn't all-or-nothing. There are levels of security, and you
want to get as much
Why wouldn't we at least store the MD5 hash of the passwords
instead of the password in clear text, or use a scheme similar to the
Unix /etc/passwd file?
You've not thought this through. Tomcat needs to decrypt or somehow
have the credentials in cleartext so it can pass them to the database
datasource .
Not an easy solution but can be achieved :)
Regards
Guru
-Original Message-
From: Darren [mailto:[EMAIL PROTECTED]
Sent: 01 May 2007 16:10
To: Tomcat Users List
Subject: Re: Encrypting passwords in the connection pool setup
Why wouldn't we at least store
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Richard,
Richard DeGrande wrote:
The ability to store encrypted passwords doesn't necessarily have to
be used to protect the system from hackers. This would be a GREAT
feature to enforce the responsibilities between different roles in a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
But it strikes me that Tomcat
is the only application I know where passwords are stored in clear
text.
I'll bet that Tomcat is the only application that needs to know its own
passwords. Do you have Apache running with
Just to add to this discussion ...
First, let me say I don't think encrypting the password would in any way
add significantly to tomcat's security or the security of the database.
What I'm offering is just a possibility from a purely academic
standpoint. Two solutions that can be taken
Chris,
I am not sure I buy your argument that because there is somewhere else
in an implementation that is as insecure as cleartext password, then
there is no point in fixing the cleartext password issue. With this
argument, we would never care about fixing any security holes, because
one can
Martin,
All encryption systems need a way to boot themselves. This either means
you store the password somewhere so the program can self-boot itself, or
you need user intervention, such as typing in the password (or inserting
a dongle or other security hardware device).
Once the system has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
I am not sure I buy your argument that because there is somewhere
else in an implementation that is as insecure as cleartext password,
then there is no point in fixing the cleartext password issue. With
this argument,
I'm using Tomcat 5.5 to run a web application. I have the connection pools
set up and working in the context.xml but the password is in plain text.
Does anyone know of a way to encrypt the password and username to the
database?
Kelly J Flowers wrote:
I'm using Tomcat 5.5 to run a web application. I have the connection pools
set up and working in the context.xml but the password is in plain text.
Does anyone know of a way to encrypt the password and username to the
database?
This is nearly always pointless. A couple
14 matches
Mail list logo