So y'all were forbidden to use Tomcat then? It's the most popular web application server, and plaintext is your only option for passwords in config files. For all the reasons I outlined, but mainly because putting passwords that aren't plaintext in config files is merely a false sense of security. Log4j is open source. Any mechanism we provide to encrypt/decrypt passwords is easily found and manually applied to passwords that a hacker retrieves from a config file.
I'll repeat again: the problem is unauthorized access to the config file. The symptom is access to the passwords. You have to treat the problem, not the symptoms. Nick On Aug 22, 2013, at 11:23 PM, Remko Popma wrote: > My company doesn't allow plaintext passwords in config files either. > > On Friday, August 23, 2013, Ralph Goers wrote: > I worked in an environment like Kurt's. passwords simply were not allowed in > clear text in config files. I still think a plugin is the right way to > handle that. > > Ralph > > On Aug 22, 2013, at 11:55 AM, Nick Williams <[email protected]> > wrote: > >> This is what file permissions are for. The file should be protected so that >> only those who are authorized may view it. For example, on a Linux machine >> it may be 0400 where the user is the account that the application runs >> under. Then only the application and root can view the file. >> >> N >> >> On Aug 22, 2013, at 1:32 PM, Kurt Lehrke wrote: >> >>> I believe there’s a small oversight in the idea that if someone has access >>> to your box, that it’s game over. >>> >>> Think about a situation where a company may have a box with administrators >>> and users. They may still want levels of security. For example, say you >>> have a JDBCAppender that has a user name and password in their log4j2 >>> configuration. The administrator may have access to their application and >>> the database, but a user may only need access to the box. Therefore, >>> having the user name and password hashed in the configuration file would >>> ensure that a user (non admin) on the system can’t get to the database. >>> This is an interesting challenge since the password hash would have to be a >>> symmetric algorithm. It’s still merely only a light level of security >>> since anyone with bad intent could still figure out the decryption by >>> looking at the encryption algorithm. >>> >>> In my experience (supply chain development), some companies are pretty >>> strict on having any password left in plain text, even if it is just for >>> logging. >>> >>> Just a thought. >>> >>> Thanks, >>> Kurt >>> >>>
