Hi Martin, most security experts tend to discourage "Security through Obscurity". Moreover, it doesn't take too many lines of code or too powerful of a machine to perform a dictionary or brute force crack these passwords. Meaning, if I've gotten to your password store, you're already wide open. I'll just query the database, grab the passwords (even encrypted) and write about a 30 line perl script that guesses until it gets it right. I'll just disassemble the class file, redeploy, capture what the user types.
I'd instead encrypt any remote EJB calls using the RMI+SSL, HTTP calls with SSL, etc. I'd put my datasource deinfitions in their own deploy directory with tight permissions. I'd put my authentication source somewhere locked down fairly tight. Prevent users from picking stupid passwords, etc. Heck, if you really want security don't use passwords :-). Ultimately, you want accountability, you need to know who did what and who had access to the information to leak it. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822186#3822186 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822186 ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
