When sharing hosting on a less-than-secure server, I enhanced the
security of the passwords in my source code by writing simple java
classes that return the password hardcoded within. The classes were
written so that they would only run in code calling them from the
correct directory on the server (i.e. if someone else tried to run the
class it returned nothing) and this was independent of CF sandboxing.
I loaded the classes dynamically, so they were never in the CF
classpath.

It isn't perfect, since decompiling the class would get the password,
but if someone is in a position to do that then they can also
decompile CF and get the encryption/decryption keys for datasource
passwords (and compromise the enhancement that has been talked about
in this thread too).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:223752
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to