RE: security of server.xml in tomcat
Also depends on from whom you want to hide the credentials. If it's from web client, then based on servlet specifications The files inside the WEB-INF folder cannot be accessible by the web client. If you want to protect from console access users then you can protect by defining access rights to the web deployment. ST On Mon, 2003-06-09 at 14:42, Chad Johnson wrote: Just a thought, I can't see how having the username and password in code is any more secure. Prying eyes could have equal access to both. Chad Johnson Web Services Developer WS Packaging - Wisconsin Label Tel:(920)487-6271 -Original Message- From: Mohamed Tagari [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: security of server.xml in tomcat Hi, Is there any way of instantiating the password and username parameters for connecting to a database in the application code rather than having it as plain text in the server.xml. As having the username and password as plain text is not very secure.. Any help/information will be apprectiated.. The database will be containing sensitive information, hence all passwords and usernames have to be protected.. // java code Context init = new InitialContext(); Context ctx = (Context) init.lookup(java:comp/env); DataSource ds = (DataSource) ctx.lookup(jdbc/myoracle); // extract from server.xml Resource name=jdbc/myoracle auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/myoracle . . . parameter nameusername/name valuescott/value /parameter parameter namepassword/name valuetiger/value /parameter . . /ResourceParams mo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Sri Thuraisamy [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security of server.xml in tomcat
Just a thought, I can't see how having the username and password in code is any more secure. Prying eyes could have equal access to both. Chad Johnson Web Services Developer WS Packaging - Wisconsin Label Tel:(920)487-6271 -Original Message- From: Mohamed Tagari [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: security of server.xml in tomcat Hi, Is there any way of instantiating the password and username parameters for connecting to a database in the application code rather than having it as plain text in the server.xml. As having the username and password as plain text is not very secure.. Any help/information will be apprectiated.. The database will be containing sensitive information, hence all passwords and usernames have to be protected.. // java code Context init = new InitialContext(); Context ctx = (Context) init.lookup(java:comp/env); DataSource ds = (DataSource) ctx.lookup(jdbc/myoracle); // extract from server.xml Resource name=jdbc/myoracle auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/myoracle . . . parameter nameusername/name valuescott/value /parameter parameter namepassword/name valuetiger/value /parameter . . /ResourceParams mo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security of server.xml in tomcat
On Monday, June 9, 2003, at 03:31 PM, Mohamed Tagari wrote: Hi, Is there any way of instantiating the password and username parameters for connecting to a database in the application code rather than having it as plain text in the server.xml. As having the username and password as plain text is not very secure.. Any help/information will be apprectiated.. ok store the username/password as an encrypted text string and use the JAAS API to a: encrypt it in the first place, and b: read it back into the the application from the encrypted text string in the server.xml file. I was looking into this myself (not using tomcat but in another Oracle/Java project), but the time it would take for me to implement and test the secure/encrypted version (2 days including test) was deemed to be not worthwhile. C'est la vie. Kev parameter nameusername/name valuescott/value /parameter parameter namepassword/name valuetiger/value /parameter especially the default scott/tiger :) -- To be governed is to be watched over, inspected, spied on, directed, legislated... - Pierre-Joseph Proudhon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
