From: Milanez, Marcus [mailto:[EMAIL PROTECTED]
On the other hand, is it right to stay behind a
possible security fault (malicious super user performing
login) in order to say I'll not correct known security issues
in my application?
There's a lovely discussion on exactly this topic in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marcus,
Milanez, Marcus wrote:
| Filip Hanik wrote:
| if someone gets onto your machine as an super user, you have bigger
| problem than the password being in clear text
|
| That is the answer everyone gives in tomcat forums all over the
| internet,
Hello everyove,
We were asked to eliminate clear text passwords associated to database
pooled connections in context.xml files... I know it has been discussed
a lot, but I would like to ask once again whether someone has a simple,
clean solution for that. We are using Windows server and MS SQL
it's a wasted effort, the one way it could be truly secure, was if
tomcat asked you for a key upon startup. this wouldn't work very well in
a 1000 tomcat instance server farm.
any other effort simply masks the problem, letting you think it is
secure, when it isn't.
what you should do is
: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 13 de maio de 2008 12:37
Para: Tomcat Users List
Assunto: Re: Once again, clear text passwords in context.xml files
it's a wasted effort, the one way it could be truly secure, was if tomcat asked
you for a key upon startup
: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 13 de maio de 2008 12:37
Para: Tomcat Users List
Assunto: Re: Once again, clear text passwords in context.xml files
it's a wasted effort, the one way it could be truly secure, was if tomcat
asked you for a key upon startup
From: Kevin Williams [mailto:[EMAIL PROTECTED]
Subject: Re: Once again, clear text passwords in context.xml files
How about hashing the passwords with a known forumla and storing them
in this intermediate format. App would need to hash the user input
and compare.
There's no user input
-
De: Kevin Williams [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 13 de maio de 2008 14:36
Para: Tomcat Users List
Assunto: Re: Once again, clear text passwords in context.xml files
How about hashing the passwords with a known forumla and storing them in this
intermediate format. App
-
De: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 13 de maio de 2008 12:37
Para: Tomcat Users List
Assunto: Re: Once again, clear text passwords in context.xml files
it's a wasted effort, the one way it could be truly secure, was if tomcat
asked you for a key upon