Why are plain text passwords in the config files? Because there is no good
way to secure them. When Tomcat needs to connect to a database, it needs
the original password. While the password could be encoded, there still
needs to be a mechanism to decode it. And since the source to Tomcat is
freely available, the attacker would know the decoding method. So at best,
the password is obscured - but not really protected.
http://wiki.apache.org/tomcat/FAQ/Password
2014/1/30 Mark Thomas ma...@apache.org
On 30/01/2014 09:46, Ja kub wrote:
is it possible not to write keystorePass in open text server.xml, and
make
tomcat to ask for it at startup ?
or specify only some hash of it (rather not possible) ?
http://wiki.apache.org/tomcat/FAQ/Password
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org