[Tomcat Wiki] Update of "FAQ/Password" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Password" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Password?action=diff&rev1=12&rev2=13
Comment:
Update entry about setting a custom PropertySource. Add link to "PicketLink
Vault extension for Apache Tomcat" project.
. Now, whenever you write {{{&resources;}}} in the text below, it will be
replaced by the content of the file "resources.txt". The file path is relative
to the conf directory.
* Write your own datasource implementation which wraps your datasource and
obscure your brains out ([[http://en.wikipedia.org/wiki/XOR_cipher|XOR]] and
[[http://en.wikipedia.org/wiki/ROT13|ROT13]] are great candidates for this
since their strength matches the protection you'll actually get). See the docs
on how to do this.
* Write your own {{{javax.naming.spi.ObjectFactory}}} implementation that
creates and configures your datasource.
- * (Tomcat 7) Write your own
{{{org.apache.tomcat.util.IntrospectionUtils.PropertySource}}} implementation
to 'decrypt' passwords that are 'encrypted' in catalina.properties and
referenced via ${...} in server.xml. You will need to set the system property
{{{org.apache.tomcat.util.digester.PROPERTY_SOURCE}}} to point to your
!PropertySource implementation.
+ * Write your own
{{{org.apache.tomcat.util.IntrospectionUtils.PropertySource}}} implementation
to 'decrypt' passwords that are 'encrypted' in catalina.properties and
referenced via ${...} in server.xml. You will need to set the
[[https://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html|system
property]] {{{org.apache.tomcat.util.digester.PROPERTY_SOURCE}}} to point to
your !PropertySource implementation.
+ * An example of a project that provides such custom !PropertySource:
[[https://github.com/picketbox/tomcat-vault|PicketLink Vault extension for
Apache Tomcat]].
A cultural reference:
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Password" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Password" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Password?action=diff&rev1=11&rev2=12
Comment:
Correct DOCTYPE declaration example - it has to match the root element. See
"Validity constraint: Root Element Type" in XML 1.0 spec (REC-xml-20081126). I
am using this syntax in my server.xml files.
* Use properties replacement so that in the xml config you have
${db.password} and in conf/catalina.properties you put the password there.
* Since server.xml is an XML file — you can use XML entities. For example:
"woot" becomes "woot" which is a way to
obscure the password. You may even go through an extra layer of indirection by
converting ${db.password} into XML entities so that the property replacement
above is also performed. (But remember, while "clever, not more secure)
- * XML entities can be read from an external file. That is, add the following
lines at the top of server.xml just above the {{{}}} element:
+ * XML entities can be read from an external file. That is, add the following
text at the top of server.xml just after the XML declaration (``)
and before the {{{}}} element (line wraps can be removed):
{{{
-
]>
}}}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Password" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Password" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Password?action=diff&rev1=10&rev2=11
Comment:
Add link to Wikipedia article
* Write your own {{{javax.naming.spi.ObjectFactory}}} implementation that
creates and configures your datasource.
* (Tomcat 7) Write your own
{{{org.apache.tomcat.util.IntrospectionUtils.PropertySource}}} implementation
to 'decrypt' passwords that are 'encrypted' in catalina.properties and
referenced via ${...} in server.xml. You will need to set the system property
{{{org.apache.tomcat.util.digester.PROPERTY_SOURCE}}} to point to your
!PropertySource implementation.
+ A cultural reference:
+
+ * [[http://en.wikipedia.org/wiki/Turtles_all_the_way_down|It is turtles all
the way down]] (Wikipedia)
+
[[CategoryFAQ]]
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Password" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Password" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Password?action=diff&rev1=9&rev2=10 Comment: Add emphasis == Why are plain text passwords in the config files? == Because there is no good way to "secure" them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected. Please see the user and dev list archives for flame wars about this topic. - That said, any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows). + That said, any configuration file that does contain a password needs to be appropriately secured. That means '''limiting access''' to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows). In [[http://www.catb.org/~esr/writings/cathedral-bazaar/|The Cathedral and the Bazaar]], Eric S. Raymond recounts a story where his fetchmail users asked for encrypted passwords in the .fetchmailrc file (which is almost identical to the situation posed here with server.xml). He refused [[http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s09.html|using the same arguments posed here]]: encrypting or otherwise obfuscating the password in server.xml does not provide any real security: only "security by obscurity" which isn't actually secure. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
